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Preface 


This  volume  contains  the  proceedings  of  the  First  International  Workshop  on 
Hybrid  Systems:  Computation  and  Control,  HSCC’98,  organized  April  13-15, 
1998,  at  the  University  of  California,  Berkeley.  Following  several  meetings  that 
were  initiated  by  Anil  Nerode  at  Cornell  University,  this  is  the  first  of  a  newly 
constituted,  regular  annual  series  of  workshops  on  hybrid  systems.  Papers  from 
the  earlier  meetings  were  published  in  the  Springer- Verlag  Lecture  Notes  in 
Computer  Science  series,  volumes  736,  999,  1066,  1201,  and  1273.  The  steer¬ 
ing  committee  of  the  new  workshop  series  includes  Panos  Antsaklis  (University 
of  Notre  Dame),  Nancy  Lynch  (Massachusetts  Institute  of  Technology),  Amir 
Pnueli  (Weizmann  Institute,  Israel),  Alberto  Sangiovanni-Vincentelli  (Univer¬ 
sity  of  California,  Berkeley),  and  Jan  van  Schuppen  (CWI,  The  Netherlands). 

The  focus  of  the  workshop  is  on  mathematical  methods  for  the  rigorous  and 
systematic  design  and  analysis  of  hybrid  systems.  A  hybrid  system  consists  of 
digital  devices  that  interact  with  analog  environments.  Driven  by  rapid  advances 
in  digital  controller  technology,  hybrid  systems  are  objects  of  investigation  of  in¬ 
creasing  relevance  and  importance.  The  emerging  area  of  hybrid  systems  research 
lies  at  the  crossroads  of  computer  science  and  control  theory:  computer  science 
contributes  expertise  on  the  digital  aspects  of  a  hybrid  system,  and  control  the¬ 
ory  contributes  expertise  on  the  analog  aspects.  Since  both  research  communities 
speak  largely  different  languages,  and  employ  largely  different  methods,  a  major 
purpose  of  the  workshop  is  to  bring  together  researchers  from  both  disciplines. 

The  three-day  workshop  will  feature  six  invited  keynote  speakers  and  26  con¬ 
tributed  talks  that  were  selected  from  55  submissions  by  a  technical  program 
committee.  The  keynote  lecturers  will  be  Panos  Antsaklis  (University  of  Notre 
Dame),  Stephen  Boyd  (Stanford  University),  Edward  Lee  (University  of  Califor¬ 
nia,  Berkeley),  Alberto  Sangiovanni-Vincentelli  (University  of  California,  Berke¬ 
ley),  Joseph  Sifakis  (VERIMAG,  France),  and  Murray  Wonham  (University  of 
Toronto).  Additional  invited  addresses  will  be  given  by  Linda  Bushnell  from  the 
Army  Research  Office  and  by  Helen  Gill  from  the  Defense  Advanced  Research 
Projects  Agency,  The  workshop  will  also  include  demos  of  software  tools  for  the 
design,  analysis,  and  simulation  of  hybrid  systems. 

The  program  committee  was  chaired  by  the  editors  and  included  Rajeev  Alur 
(University  of  Pennsylvania),  Karl  Astrom  (Lund  University,  Sweden),  Albert 
Benveniste  (INRIA-IRISA,  France),  Ahmed  Bouajjani  (VERIMAG,  France), 
Michael  Branicky  (Case  Western  Reserve  University),  Peter  Caines  (McGill  Uni¬ 
versity),  Datta  Godbole  (PATH  Berkeley,  California),  Mark  Greenstreet  (Uni¬ 
versity  of  British  Columbia),  Vineet  Gupta  (NASA  Ames,  California),  Bruce 
Krogh  (Carnegie  Mellon  University),  Stephane  Lafortune  (University  of  Michi¬ 
gan),  Kim  Larsen  (Aalborg  University,  Denmark),  Oded  Maler  (VERIMAG, 
France),  Stephen  Morse  (Yale  University),  Anil  Nerode  (Cornell  University), 
Peter  Ramadge  (Princeton  University),  Roberto  Segala  (University  of  Bologna, 


VI 


Italy),  and  Howard  Wong-Toi  (Cadence  Berkeley  Labs,  California).  In  the  se¬ 
lection  process,  the  program  committee  was  aided  by  the  following  reviewers: 
L.  Aceto,  K.  Al-Wahedi,  E.  Asarin,  E.  Badouel,  G.  Barrett,  0.  Bournez,  A. 
Chutinan,  P.  Codognet,  R.  Debouk,  A.  Deshpande,  A.  Fehnker,  A.  Hicks,  R. 
Jagadeesan,  M.  Kourjanski,  Y.  Lakhnech,  F.  Lin,  J.  Lygeros,  H.  McClamroch, 
R.  Nikoukhah,  G.  Pappas,  A.  Puri,  R.  Rajamani,  H.  Schumacher,  R.  Sengupta, 
A.  Skou,  M.  Sorine,  C.  Tomlin,  and  C.  Weise.  The  steering  committee  handled 
all  submissions  that  were  co-authored  by  the  program  chairs. 

We  are  grateful  to  all  invitees,  contributors,  and  reviewers  for  making  the  work¬ 
shop  a  success.  In  addition,  we  wish  to  thank  Carol  Block  for  administrating 
the  workshop  organization,  John  Lygeros  and  Serdar  Tasiran  for  organizing  the 
tool  demos,  Alexa  Brudy  and  Flora  Oviedo  for  organizational  support,  and  the 
Army  Research  Office  for  generous  financial  support. 


January  1998 


Thomas  A.  Henzinger 
Shankar  Sastry 
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Equations  bn  Timed  Languages  * 


Eugene  ASARIN 

Institute  for  Information  Transmission  Problems 
19  Bolshoi'  Karetnyi  lane,  101447,  Moscow,  Russia 
asarin@ippi.ras.ru 


Abstract.  We  continue  investigation  of  languages,  accepted  by  timed 
automata  of  Alur  and  Dill.  In  [ACM97]  timed  regular  expressions  equiv¬ 
alent  to  timed  automata  were  introduced.  Here  we  introduce  quasilinear 
equations  over  timed  languages  with  regular  coefficients.  We  prove  that 
the  minimal  solution  of  such  an  equation  is  regular  and  give  an  algo¬ 
rithm  to  calculate  this  solution.  This  result  is  used  to  obtain  a  new  proof 
of  Kleene  theorem  ([ACM97])  for  timed  automata.  Equations  over  timed 
languages  can  be  also  considered  as  an  alternative  way  of  specifying  these 
languages. 


1  Introduction 

Timed  automata  ([AD94])  form  the  best  investigated  class  of  hybrid  systems. 
It  is  known  which  problems  about  these  automata  are  decidable  and  which  are 
not,  and  there  are  tools  for  testing  emptiness,  evaluating  reachable  states  etc. 
([DOTY96]).  However  some  theoretical  aspects  and  parallels  with  ordinary  finite 
automata  are  still  not  clear.  This  paper  may  be  considered  as  a  continuation  of 
([ACM97])  where  timed  languages  were  analyzed  from  the  traditional  linguistic 
viewpoint  —  and  timed  regular  expression  capable  to  specify  exactly  the  same 
languages  as  timed  automata  were  introduced. 

We  take  for  a  model  following  classical  (forty  years  old)  results  about  finite 
automata,  regular  languages  and  linear  equations  (see  e.g.  [Brz62]). 

Any  system  of  linear  equations  in  the  form 

n 

Xi  —  a,-  +  ^  )  fiijXj  i  =  1, . .  .,n,  (1) 

i=i 

where  Xi  stand  for  unknown  languages  and  —  for  given  regular  coeffi¬ 

cients,  has  a  regular  minimal  solution.  The  regular  expression  for  this  solution 
can  be  found  effectively  from  the  coefficients. 

For  any  finite  automaton  a  system  (1)  can  be  easily  constructed,  each  un¬ 
known  Xi  of  the  system  corresponding  to  a  state  g,-  of  the  automaton.  In  the 

*  This  research  was  supported  in  part  by  the  Russian  Foundation  for  Basic  Research 
under  the  grants  97-01-00692  and  96-15-96048;  and  by  the  International  Association 
for  the  Promotion  of  Cooperation  with  Scientists  from  the  Independent  States  of  the 
Former  Soviet  Union  (INTAS)  under  the  grant  94-697. 


2 


minimal  solution,  the  language  X,'  is  exactly  the  language  accepted  by  the  au¬ 
tomaton  starting  from  the  state 

As  a  corollary  these  two  classical  results  imply  Kleene  theorem  ([Kle56]) 
about  regularity  of  languages  accepted  by  finite  automata. 

Our  aim  is  to  port  these  results  to  timed  automata  and  to  introduce  a  class  of 
equations  over  timed  languages  capable  to  specify  languages  of  one-clock  timed 
automata.  These  equations  are  similar  to  classical  linear  equations  (l).  However 
the  following  example  shows  that  a  straightforward  timed  adaptation  of  linear 
equations  cannot  work. 


Fig.  1. 


Two  automata 


Example  1.  The  language  of  the  first  (untimed)  automaton  on  Figure  1  can  be 
represented  by  the  following  equations: 

[  Xi  =  aX2  +bX 3 
<  X2  =  6  +aX3 
[X3  =  a 

Xi  here  stands  for  the  language  accepted  from  the  state  qj  and  each  transition 
from  qi  to  qj  labeled  with  a  can  be  represented  by  a  term  aXj  in  the  equation  for 
Xi.  Roughly  speaking,  such  a  transition  corresponds  to  concatenating  its  label 
a  to  the  language. 

The  case  of  the  second  (timed)  automaton  is  more  complicated  because  now 
there  are  two  kinds  of  transitions.  Some  of  them  reset  the  clock  and  in  this  case 
they  also  can  be  represented  by  concatenation  of  the  label  (with  time  restriction) 
to  the  language.  However  some  transitions  do  not  reset  the  clock.  We  cannot 
write  an  equation  like  Xi  =  aX3  +  bX3  with  a  constraint  on  the  sojourn  time 
in  state  q i ,  because  after  completing  action  b  the  automaton  enters  the  state  q3 
with  a  modified  clock  value. 

To  deal  with  this  problem  we  introduce  another  composition  operation  on 
timed  languages  (o  operation)  which  corresponds  to  non-resetting  transitions. 
We  introduce  quasilinear  equations  on  timed  languages  which  use  both  kinds 
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of  concatenation  (•  and  o)  and  are  strong  enough  to  represent  one-clock  timed 
automata. 

Our  main  result  is  that  any  system  of  equations  of  this  class  with  regular 
coefficients  has  a  regular  minimal  solution.  We  give  an  algorithm  to  find  out  this 
solution. 

The  paper  is  motivated  by  the  theory  of  timed  automata,  however  the  major 
part  of  it  (sections  3-4)  contains  an  automata-free  theory  of  timed  languages, 
regular  timed  expressions  and  quasilinear  equations  on  timed  languages.  At  our 
opinion,  this  linguistic  approach  could  be  useful  for  other  classes  of  hybrid  sys¬ 
tems  as  well. 

The  outline  of  the  paper  is  as  follows.  In  section  2  we  recall  the  definition  of 
timed  regular  languages  from  [ACM97].  In  section  3  the  new  operation  o  over 
languages  is  formally  introduced.  This  operation  is  crucial  for  representing  timed 
automata  by  equations.  We  investigate  algebraic  properties  of  this  operation  and 
show,  that  o  can  be  eliminated  in  a  sense.  In  section  4  quasilinear  equations  are 
introduced  and  solved.  The  possibility  to  solve  this  kind  of  equations  is  the 
main  result  of  the  paper.  In  section  5  we  recall  the  definition  of  timed  automata 
and  apply  our  main  result  to  languages  of  these  automata.  For  any  one-clock 
automaton  we  construct  a  quasilinear  system,  which  represents  the  language 
of  this  automaton.  This  provides  an  alternative  proof  of  expressive  equivalence 
of  timed  automata  and  timed  regular  expressions  from  ([ACM97]).  In  the  last 
section  further  work  is  discussed. 


2  Timed  Regular  Languages 

We  reproduce  in  a  slightly  modified  form  the  basic  definitions  of  timed  languages 
and  timed  regular  equations  from  [ACM97].  Let  £  be  a  finite  alphabet  and  let 
IR+  denote  the  set  of  positive  real  numbers.  A  signal  over  A1  is  a  timed  sequence 
of  elements  of  £,  i.e.  a  finite  sequence  w  =  (( ai,ti ), . . . ,  (an,tn))  with  a,-  £  £ 
and  ti  £  1R+,  such  that  0  <  fi  <  . . .  <  tn.  We  will  also  write  this  signal  as 

w  =  a^dj2  •  •  •  aTn  i 

where  n  =  i\,  and  r,-+1  =  t,-+1  —  f,-,  i.e.  r,-  are  relative  delays  between  a,-  oc¬ 
currences.  We  call  tn  the  length  of  w  and  denote  it  by  |iu|.  The  empty  signal 
is  denoted  by  e.  Its  length  equals  0.  The  set  of  all  signals  is  denoted  by  S(£). 
Subsets  of  S(£)  are  referred  to  as  (timed)  languages.  For  every  Wi,  W2  £  S(£) 
such  that  Wi  =  a^a^2  ■  •  -a£"  and  w-A  =  b^b^2  ■  •  -bsnn  we  define  their  concatena¬ 
tion  as  w  =  wiW2  =  ajl  •  •  •  a^Zq1  ■  ■  ■  .  This  notion  can  be  extended  naturally 

to  concatenation  of  languages  by  letting 


LiL2  =  {W1W2  :  wi  £  L\  A  zn2  £  L2}. 


An  integer-bounded  interval  is  either  [/,  u],  (l,u],  [l,  u),  or  (l,u)  where  Z  £  IN 
and  u  £  IN  U  {oc}  such  that  l  <u.  We  exclude  oo]  and  use  l  for  [l,  /]. 
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Definition  1  (Timed  Regular  Expressions).  The  set  £(E)  of  timed  regular 
expressions  over  an  alphabet  E,  (expressions,  for  short)  is  defined  recursively  as 
either  a,  <*i  •  ct2,  £*i  +  £*2,  oT  or  (a)j  where  a  6  E,  a,  a±,  02  €  £(E)  and  I  is  an 
integer-bounded  interval. 

The  semantics  of  timed  regular  expressions,  ||  :  £(E)  — >  is  given  by: 


[a]  =  {ar  :  r  G  IR+} 

[<*i  +  0-2]  =  [ail u  Ia2l 

[ai-a2l  =[ai][a2] 

[*•]  =U“0(M 

[(a)/]  =  [ajn{tu  :  |tu|  e  /} 

Some  comments  should  be  given  here.  First,  the  semantics  of  a  is  not  a 
singleton,  but  a  non-countable  language.  The  intuitive  meaning  of  this  expression 
is  that  some  unknown  time  passes  and  then  event  a  happens.  Operations  +,  •  and 
*  are  the  same  as  for  untimed  languages.  The  only  operation  which  introduces 
time  explicitly  is  “time  restriction”  ()/  which  chooses  only  those  signals  in  the 
language,  whose  lengths  belong  to  the  constraining  interval  I. 

Example  2. 

[«ai)(2;3)c)iool  =  {axbycz  |2<a;  +  ?/<3;a:-t-y  +  z  =  100}. 

To  simplify  notation  we  write  e  for  the  following  regular  expression  (a*) 0, 
whose  semantics  is  exactly  e. 

Expressions  introduced  here  form  a  proper  subclass  of  those  introduced  in 
[ACM97],  because  here  intersection  is  not  allowed  in  the  syntax.  This  change 
explains  the  difference  between  the  formulation  of  Theorem  15  below  from  that 
of  the  same  theorem  in  [ACM97]. 

3  Operation  o 

Begin  with  the  following  shift  operation  over  signals,  which  just  delays  the  be¬ 
ginning  by  t  and  preserves  relative  delays  between  events. 

Definition2.  For  a  signal  w  =  off  off  . . .  let  Slw  =  a\1+taf  . .  .a^ 

We  say  that  a  language  is  shift-invariant ,  if  S~tL  =  L  for  any  t  >  0,  i.e. 
any  signal  w  belongs  (or  does  not  belong)  to  L  simultaneously  with  Stw.  The 
following  condition  is  sufficient  for  shift  invariance  —  the  regular  expression 
should  not  begin  with  something  in  () .  Formally  speaking 

Lemma  3.  If  a  regular  expression  has  a  form  a,/?,-  where  a,-  e  and  a,-  does 
not  contain  (),  then  its  language  is  shift-invariant.  We  call  this  type  of  regular 
expressions  dull. 
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Now  we  can  define  a  new  composition  operation  over  timed  languages  which 
is  crucial  for  describing  timed  automata. 

Definition4.  Let  L\  and  £2  be  timed  languages.  Then 

£1  o  £2  =  {wiwilwi  E  £1  and  S^Wl^W2  E  £2}. 


Fig.  2.  Two  compositions 


In  other  words,  for  two  signals  wi  =  ((ai,<i), . . .,  E  £1  and  W2  = 

({bi,  si), . . . ,  ( bm ,  sm))  E  £2  such  that  tn  <  Si  we  include  the  signal  ((ui,ti), . . 

( an,tn ),  (61,  si), . . . ,  (bm,sm))  into  L\  o  £2.  Figure  2  illustrates  o-composition  in 
comparison  with  concatenation. 

First  of  all,  state  some  simple  algebraic  properties  of  this  composition  oper¬ 
ation. 

Propositions  (Algebraic  properties  of  circle).  —  operation  o  is- {--distri¬ 
butive:  (a  +  /?)  o7  =  ao7  +  /?o7  and  a  o  (/?  +  7 )  =  ceo/3  +  ao~f 
—  operation  o  is  associative:  (a  o  /?)  o  7  =  a  o  (/?  o  7) 

-a  o  (/fy)  =  (ao  /3)7  ifegfi 

1  We  suppose  that  o  cannot  be  expressed  in  terms  of  other  operations.  However, 
it  can  be  eliminated  for  regular  languages. 

Propositions  (Circle  elimination).  If  Li  and  £2  are  regular,  then  L\  o  £2 
is  regular.  The  regular  expression  for  it  can  be  obtained  algorithmically. 

Circle  elimination  is  easy  with  the  following  prefix  form  of  regular  expressions 

Lemma  7.  Any  regular  expression  can  be  effectively  transformed  to  the  form: 

n 

7  + 

k=l 


(2) 
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or 

n 

e  +  1  +  'Yj{°‘k)hPk,  (3) 

k=l 

where  7  is  dull  and  ctk  $  e. 

The  proof  is  by  induction  over  the  structure  of  regular  expression.  The  only  bad 
operation  is  Kleene  star  —  all  others  are  trivial.  To  deal  with  Kleene  star  suppose 
that  S  is  already  in  the  prefix  form  (2)  S  —  (7  +  J2k(ak)Jk^k)  and  transform  the 
expression  S*  to  the  form  SS¥  +  e  and  open  the  parentheses: 

W  +  £  =  (7  +  X>*  >/*&)**  +  e  =  jS¥  +  J2(*k)iJk6\ 

k  k 

which  is  already  in  the  required  form  (3).  The  case  when  S  is  in  the  form  (3)  is 
considered  similarly. 

It  is  easy  to  calculate  o-composition  with  terms  of  (2)  or  (3) : 

—  If  7  is  dull  then  S  o  7  =  67; 

—  So  ( a)i/3  =  ( 6a)i/3  if  a  $  e\ 

—  6e  =  8. 

Proposition  6  is  now  immediate. 

We  illustrate  Proposition  6  by  the  following  example. 

Examples.  Let  us  eliminate  o  from  8  =  (d) 3  o  (( ab)8c )*.  First  transform  the 
second  term  to  the  prefix  form:  ((ab)sc)*  =  ( ab)sc((ab)gcy  +  e,  and  second 
calculate  8  =  {( d)3ab)8c({ab)8c)*  +  (c?)3. 

We  can  introduce  the  following  analogue  of  Kleene  star  for  o-composition. 

Definitions.  X®  =  eL)LuLoLuLoLoLLl... 

This  operation  can  also  be  eliminated  for  regular  languages.  However  this 
result  is  less  straightforward. 

Proposition9  (Circled  star  elimination).  If  L  is  regular,  then  L®  is  regu¬ 
lar.  The  regular  expression  for  it  can  be  obtained  algorithmically. 

Notice  that  this  is  easy  for  terms  of  (2).  In  fact,  if  7  is  dull  then  7®  =7*, 
and 

(W)@=((“MWM  +  £- 

The  general  case  is  more  difficult.  We  give  only  a  sketch  of  proof.  First  of 
all,  transform  the  expression  to  the  prefix  form  (2).  Let  0  =  tq  <  ri  <  r2  < 

•  •  •  <  Tn  =  00  be  all  the  endpoints  of  intervals  .  For  each  values  of  i  and 
k  either  (n,ri+1)  c  Ik  (in  this  case  we  say  that  a*  is  active  on  (n-,ri+:)), 
or  Ik  fl  (ri,T,-+i)  =  0.  If  c*k  is  active ,  it  means  that  it  is  allowed  to  terminate 
anywhere  inside  the  interval  (r,-,  r,-+i).  Otherwise  it  is  not  allowed  to  terminate  in 
(r,-,r,-+1).  Let  Aj  =  active  on  (r,-,7v+i)}.  7  is  allowed  everywhere,  and  /?* 

should  happen  after  the  corresponding  active  a* .  For  each  i  we  define  a  regular 


7 


expression  A,  =  (7  +  ^ZkeAi  oikfik)*  ■  Its  language  contains  concatenations  of 
words,  active  on  (r,-,  r,-+i).  Any  word  from  Ai  if  it  fits  into  (r,-,  r,-+i)  may  occur 
during  this  time  interval. 

Let  w  be  a  signal  from  Z®.  It  can  be  parsed  as  follows: 

w  =  -  -  -  wmSm ,  (4) 

where  m  <  n,  r,-  occurs  during  tu,-,  shifts  of  w ,•  belong  to  some  (ctk)ik3k  or  to 
7  and  8,  G  Ai-  The  idea  behind  this  parsing  is  to  see  what  happens  at  finitely 
many  critical  times  r,-  and  to  allow  any  number  of  7  and  a*/?*,  where  k  6  A,-  to 
happen  on  the  interval  (r,-,rj+i)  (see  Fig.  3). 


i  wo  i 

So 

i  wi  1 

Si 

j  W2  ! 

S3  j 

ai  3i 

Ao 

a*  Pi 

Ai 

7 

A2 

=0 

t 

Tl 

1 

T2 

Fig.  3.  Parsing  a  signal  from  L® 


All  these  requirements  can  be  written  as  a  regular  expression.  For  sake  of 
simplicity  we  ignore  the  case  when  some  boundary  is  exactly  at  r*  or  if  some 
Wi  covers  several  consecutive  r,-. 

For  any  r,-  find  out  what  happens  in  w  at  r,-,  i.e  to  which  term  ( oik)ik3k 
or  to  7  belongs  (the  shift  of)  in,-.  We  also  find  when  r,-  occurs:  during  a  or  3. 
All  this  information  for  all  the  r,-  forms  the  pattern  of  the  word  w.  Notice  that 
there  are  finitely  many  possible  patterns.  An  example  pattern  P  (corresponding 
to  Fig.  3)  is  as  follows:  “<23  at  To,  3i  at  ri,  7  at  r2  and  the  signal  is  finished 
before  T3”  (for  this  pattern  to  be  valid,  013  and  0:4  should  be  active  at  (to,ti)). 
Now  consider  each  pattern  separately.  For  any  pattern,  using  parsing  (4)  and 
expressions  A »  we  can  write  a  regular  expression  which  defines  the  set  of  all  the 
words  in  Z®  having  this  pattern.  Instead  of  a  heavy  general  formula  consider 
only  the  expression  corresponding  to  our  sample  pattern  P: 

3p  =  {{{{{& l3l  «4oC*4)  (0,Ti)34:)(t-i,T2  )-4i)(ti,  T3)1)(t3, 

Last,  to  obtain  the  final  regular  expression  we  sum  expressions  £p  over  all  valid 
patterns  P. 


4  Quasilinear  Equations 

Definition  10.  A  system  of  quasilinear  equations  has  the  following  form: 

n  n 

Xi  —  ai  +  ^  fiij  Xj  +  7 %j  °  JCj  j  i  —  i)  •  •  •  i  (^) 

J= 1  i=i 
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where  X,-  stand  for  unknown  timed  languages  and  a,-,  fiij ,  7,7  —  for  given  regular 
coefficients. 

We  can  now  formulate  the  main  result  of  the  paper. 

Theorem  11.  The  minimal  solution  of  a  system  of  quasilinear  equations  is  reg¬ 
ular.  Its  regular  expression  can  be  obtained  algorithmically  from  expressions  for 
the  coefficients. 

The  rest  of  this  section  is  devoted  to  the  sketch  of  proof  of  this  theorem  and 
algorithm  description.  Without  loss  of  generality  suppose  that  /%  do  not  contain 
the  empty  signal  s.  Otherwise  we  can  move  this  empty  signal  from  /?,•  j  to  7 y. 

The  first  thing  to  do  is  to  separate  unknowns  to  which  concatenation  is 
applied  from  those  to  which  o  is  applied.  To  achieve  this  aim  we  create  another 
copy  of  each  unknown. 

Lemma  12.  The  following  system: 

n  n 

<  Xi  =  Oti  +  ^E  PijYj  +  7 ij  0  Xj>  /g\ 

.  Yi  =  Xi 

has  the  same  solutions  as  the  original  system  (5).  Formally  X\  =  L\, . . . ,  Xn  — 

Ln  is  a  solution  to  (5)  iff  Xi  =  Y\  =  L\, . . . ,  Xn  =  Yn  =  Ln  is  a  solution  to  (6) 

and  all  the  solutions  to  the  latter  system  have  this  form. 

The  following  lemma  gives  a  solution  to  a  single  equation  with  only  one 
operation.  Its  proof  is  fully  similar  to  the  proof  of  the  same  result  for  discrete 
equations. 

Lemma  13.  —  The  minimal  solution  to  X  =  a  +  7  o  X  is  X  =  7®  o  a; 

—  The  minimal  solution  toY  =  a  +  fiY  is  Y  =  f3*  a; 

The  algorithm  of  solving  the  system  (6)  is  similar  to  the  classical  algorithm 
for  discrete  languages  and  consists  in  iterated  application  of  Lemma  13  together 
with  circle  elimination  from  Section  3.  At  the  first  stage  we  begin  with  the  first 
equation  and  express  X\  from  it  as 

n  n 

Xi  =  7?!  +  /  W  +  E TV  °^')- 

i=i  j= 2 

Eliminating  circles,  this  equation  can  be  transformed  to  the  form 

n  n 

Xi  =  +  E PijYi  +  E  7ij  0  Xj  ■ 

3= 1  3= 2 

We  put  this  expression  into  the  second  equation  and  solve  it  for  X2 .  And  we  con¬ 
tinue  till  Xn  for  which  we  find  an  expression  that  contains  only  Y s  and  not  X 


9 


unknowns.  Then  the  second  stage  begins.  We  go  backwards  putting  this  expres¬ 
sion  for  Xn  into  equation  number  n  —  1.  This  allows  to  find  Xn-free  expression 
for  Xn-i  and  so  on  until  we  reach  X\  once  again.  Now  the  system  has  the  form 

f  *  =  «+£**  (7) 

{  Yi  =  Xi . 

Replacing  Yj  by  Xi  we  obtain  the  o-free  system 

n 

Xi  =  a,!  +  YJP"iXY 

i= i 

and  we  express  again 


^i=^iK  +  EW> 

j= 2 

put  the  result  into  the  second  equation,  find  X 2  and  so  on.  This  is  the  third  stage 
of  the  algorithm.  The  fourth  (and  the  last)  stage  consists  in  going  backwards 
putting  the  regular  expression  for  Xn  into  equation  n  —  1  and  so  on.  This  ends 
up  with  finding  regular  expressions  for  all  the  X,-.  This  concludes  the  algorithm 
and  the  proof  of  Theorem  11. 


5  Applying  Equations  to  Timed  Automata 


First  recall  shortly  the  definition  of  timed  automata  and  their  languages. 

Definition  14  (Timed  Automaton,  [AD94]).  A  timed  automaton  is  a  tuple 
21  =  ( Q,C,A,E,S,F )  where  Q  is  a  finite  set  of  states,  C  is  a  finite  state  of 
clocks,  E  is  an  output  alphabet,  A  is  a  transition  relation  (see  below),  S  C  Q 
an  initial  set  and  FCQan  accepting  set.  An  element  of  the  transition  relation 
is  of  the  form  (9,  <f>,  p,  q',  a)  where  q  and  q1  are  states,  a  G  E  -an  output  symbol, 
pCC  and  <j>  (the  transition  guard)  is  a  boolean  combination  of  formulae  of  the 
form  (c  G  I)  for  some  clock  c  and  some  integer-bounded  interval  I. 


A  clock  valuation  is  a  function  v  :  C  — t  IR+  U  {0}  (which  is  the  same  a  vector 
v  G  (IR+  U  {0})lcl).  We  denote  the  set  of  all  clock  valuations  by  71.  For  a  clock 
valuation  v  and  a  set  p  C  C  we  put  for  any  clock  variable  c  G  C 


Reset  p  v 


0  if  c  G  p 
v(c)  if  c  £  p 


That  is,  Resetp  resets  to  zero  all  the  clocks  in  p  and  leaves  the  other  clocks 
unchanged.  We  use  1  to  denote  the  unit  vector  (1, . . . ,  1). 
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A  finite  run  of  the  automaton  is  a  sequence 

Si  62  Sn 

(?o,  v0)  — y  (gi,  vi)  — »  ...  — y  (g„,  vn), 
tl  t 2  tn 

where  9,-  G  Q,  v,-  £  R,  Si  £  A,  ti  £  IR+,  and  which  satisfies  the  following  condi¬ 
tions: 

Time  progress:  0  <  <1  <  . . .  <  tn  (for  convenience  we  put  to  =  0); 
Succession:  If  Si  =  ( q ,  <j>,  p,  q a,-)  then  g,-_  1  =  g,  9,-  =  g',  the  condition  ^(vj_i  + 
(f,-  —  t,-_i)l)  holds  and  v,-  =  Resetp(vi-i  +  (t,-  -  t,-_i)l). 

An  accepting  run  is  a  run  satisfying  the  additional  conditions: 

Initialization:  g0  G  5;vo  =  0; 

Termination:  gn  G  F. 

The  trace  of  such  a  run  is  the  signal 


whose  length  is  tn.  The  language  of  a  timed  automaton,  1,(21),  consists  of  all  the 
traces  of  its  accepting  runs. 

Now  recall  the  main  result  of  [ACM97] . 

Theorem  15  [ACM97].  A  timed  language  L  can  be  accepted  by  a  timed  au¬ 
tomaton  of  Alur  and  Dill  iff  it  can  be  represented  in  the  form 

where  Li  are  regular  languages  and  p  —  a  homomorphism. 

(The  terminology  of  [ACM97]  is  slightly  different.) 

The  difficult  direction  is  of  course  to  find  regular  expressions  for  a  given 
automaton.  This  operation  in  ([ACM97])  is  split  into  2  parts.  The  first  one 
consists  in  reduction  to  one-clock  automata. 

Lemma  16  [ACM97],  Any  timed  language  L  accepted  by  a  timed  automaton 
can  be  represented  in  the  form 

l=p (q  , 

where  Li  are  languages  accepted  by  one-clock  automata  and  ip  —  a  homomor¬ 
phism. 

Our  equation  techniques  is  of  no  help  here.  However  our  result  can  simplify  the 
proof  of  the  second  part. 
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Lemma  17  [ACM97].  Any  timed  language  L  accepted  by  a  one-clock  timed 
automaton  is  regular. 

Given  a  one-clock  timed  automaton  it  is  easy  to  construct  an  equivalent 
system  of  quasilinear  equations. 

In  order  to  do  it,  for  any  control  state  of  the  automaton  <?,-  introduce  an 
unknown  Xi.  For  a  transition  from  qi  to  the  accepting  state  with  the  label  a 
and  the  guard  (c  6  I)  put  a,-  =  (a)/.  For  a  transition  from  qi  to  qj  with  label  a, 
guard  (c  6  I)  and  no  reset  put  7 y  =  (a)/.  For  a  transition  qi  to  qj  with  label 
a,  guard  (c  €  I)  and  reset  (c  :=  0)  put  /?y  =  (a)/.  Finally  write  the  system  of 
equations 

n  n 

Xi  —  Oii  — "  'y  ^  PijXj  —  ^  ^  7 ij  °  Xj ,  i  —  1,  .  .  . ,  71,  (8) 

i=i  j=i 

of  the  form  (5) . 

The  quasilinear  system  obtained  in  such  a  straightforward  way  from  the  one- 
clock  automaton  can  be  solved  using  the  algorithm  of  the  previous  section.  The 
following  lemma  concludes  the  new  proof  of  Lemma  17  and  Theorem  15. 

Lemma  18.  Xi  in  the  minimal  solution  of  equations  (8)  is  the  language  accepted 
by  the  automaton  from  the  state  qi  with  initial  value  of  the  clock  c—  0. 

Example  4-  Consider  the  second  (timed)  automaton  on  the  Figure  1.  According 
to  the  general  construction  corresponding  quasilinear  equations  are  like  this: 

(Xx  =  (a)5X2+(b)2  oX2 

<  X2  =  (6)( 7,00)  +(a)(o,io) 0  X3  (9) 

{  X3  =  <a>8 

For  the  system  9  the  procedure  of  section  4  gives  the  solution 

{Xi  =  (a)5(6)(7>00)  +  (a)5{(a)(o,io)a}8  +  {(b)  2a)s 

X2  =  (6)(7,oo)  +  {{a)(o,io)a}8 
*3  =  <a>8 

6  Conclusions  and  Further  Work 

In  this  paper  a  new  linguistic  formalism  for  timed  languages  is  proposed.  This 
formalism  is  adequate  for  timed  automata.  However  there  are  still  many  ques¬ 
tions  to  investigate. 

—  Which  is  the  complexity  of  the  algorithms? 

—  Is  it  possible  to  apply  this  approach  directly  to  multi-clock  timed  automata? 
—  Which  are  other  possible  applications  of  this  formalism?  In  particular,  is  it 
convenient  for  specification  of  timed  systems? 

-  What  can  be  done  for  more  complicated  equations? 
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Abstract.  A  novel  approach  to  the  control  of  an  automotive  engine  in 
the  cut-off  region  is  presented.  First,  a  hybrid  model  which  describes  the 
torque  generation  mechanism  and  the  power-train  dynamics  is  developed. 
Then,  the  cut-off  control  problem  is  formulated  as  a  hybrid  optimization 
problem,  whose  solution  is  obtained  by  relaxing  it  to  the  continuous 
domain  and  mapping  its  solution  back  into  the  hybrid  domain.  A  formal 
analysis  as  well  as  simulation  results  demonstrate  the  properties  and  the 
quality  of  the  control  law. 


1  Introduction 

Hybrid  systems  have  been  the  subject  of  intensive  study  in  the  past  few  years 
with  particular  emphasis  placed  on  a  unified  representation  of  the  problem  in 
terms  of  rigorous  mathematical  foundations  (see  [5],  [10],  [7],  [6],  [3],  [4]).  In  our 
opinion,  it  is  important  to  address  significant  domains  of  application  of  hybrid 
control  to  develop  further  understanding  of  the  implications  of  the  model  on  the 
control  algorithms.  In  the  automotive  industry,  engine  behavior  is  in  general 
partitioned  into  regions  of  operation  where  appropriate  control  action  are  ap¬ 
plied  to  yield  the  desired  result  [2].  The  region  of  operation  considered  here  is 
characterized  by  the  driver  who,  by  releasing  the  gas  pedal,  requests  no  torque 
to  the  engine.  An  obvious  strategy  to  minimize  gas  consumption  and  emissions 
when  no  torque  is  requested  is  to  shut  fuel  injection  off,  an  operation  called  cut¬ 
off.  However,  cutting  off  fuel  injection  as  soon  as  the  gas  pedal  is  released,  causes 
a  sudden  torque  reduction  that  may  result  in  unpleasant  oscillations  compromis¬ 
ing  driving  comfort.  The  open-loop  control  policy  implemented  by  the  industry 
today,  consists  of  air  and  fuel  input  modulation,  that  is,  throttle  closure  is  slowed 
down  and,  when  air  quantity  is  below  a  threshold,  fuel  injection  is  gradually  re¬ 
duced  to  zero.  As  is  often  the  case,  heuristic  rule-based  controls  need  extensive 
tuning,  yield  satisfactory  solutions  only  in  a  limited  range  of  operations  and  are 
hardly  optimal  with  respect  to  the  emissions  and  fuel  consumption. 
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In  this  paper,  we  introduce  a  novel,  theoretically  sound,  closed-loop  approach 
to  cut-off  control.  The  “plant”  consists  of  two  parts:  the  engine  responsible  for 
torque  generation,  modeled  as  a  combination  of  an  Extended  Finite  State  Ma¬ 
chine  and  of  a  Discrete  Event  system,  and  the  powertrain  modeled  as  a  fourth- 
order  linear  Continuous  Time  system.  The  goal  is  to  control  the  evolution  of  the 
system  from  an  initial  condition  (the  state  of  the  system  when  the  gas  pedal  has 
been  released  and  the  manifold  pressure  has  approached  its  idle  regime  value) 
to  cut-off,  minimizing  the  amplitude  of  the  undesired  oscillations.  The  available 
control  actions  are  on  fuel  injection  and  spark  ignition,  the  inputs  to  the  engine, 
occurring  only  once  per  engine  cycle  for  each  piston.  The  torque  generated  is  the 
output  of  the  engine  and  the  input  to  the  powertrain.  The  powertrain  dynamics 
contain  the  potential  oscillatory  behavior  to  be  minimized.  The  wheel  revolu¬ 
tion  speed  and  the  angular  velocity  of  the  crankshaft  are  components  of  its  state. 
The  timing  of  the  torque  generation  mechanism  is  determined  by  the  angle  of 
the  crankshaft.  Consequently,  the  control  problem  is  a  Hybrid  System  Control 
problem,  which  is  further  complicated  by  the  delay  between  the  time  in  which 
the  decision  on  the  quantity  of  fuel  to  be  injected  is  taken  (at  the  beginning  of 
the  exhaust  phase)  and  the  time  the  effect  of  this  decision  takes  place  (during 
the  next  expansion  phase). 

Our  approach  to  the  hybrid  problem  at  hand  is  to  relax  the  problem  to  the 
continuous  domain  assuming  that  the  torque  signal  can  be  modulated  contin¬ 
uously  over  time  within  a  given  range  of  values.  The  problem  so  obtained  is 
non  trivial  since  the  objective  function  is  non  differentiable.  In  [1]  we  devised  a 
strategy  that  solves  this  problem  to  yield  an  optimal  control  law  for  the  contin¬ 
uous  domain.  Then,  this  solution  in  the  continuous  domain  was  mapped  back 
into  the  discrete  domain.  The  control  algorithm  used  sliding  mode  control  in 
a  region  of  the  state  space.  Sliding  modes  yielded  a  control  strategy  that  had 
implementation  problems  since  it  is  required  a  fairly  large  number  of  switchings 
in  the  injection  policy.  In  this  paper  we  present  a  novel  strategy  which  elim¬ 
inates  completely  the  sliding  mode.  The  solution,  mapped  back  in  the  hybrid 
domain,  is  demonstrated  to  yield  a  behavior  that  is  close  (within  a  precisely 
specified  bound)  to  the  behavior  of  the  control  in  the  continuous  case.  From  the 
application  of  our  control  strategy  by  our  industrial  partner  on  a  commercial  ve¬ 
hicle,  the  proposed  solution  appears  to  be  far  superior  than  the  present,  heuristic 
approach  in  performance,  emission  control,  memory  and  CPU  occupation. 

2  Problem  formulation 

2.1  Plant  model 

In  this  paper,  we  deal  with  4-stroke  IV-cylinder  gasoline  engines.  Our  model  con¬ 
sists  of  the  composition  of  N  sub-models,  one  per  cylinder.  The  single  cylinder 
sub-model  M  consists  of  three  parts: 

1  A  deterministic  Finite  State  Machine  is  a  six-tuple  M  =  {I,  Y,  S,  so,  A,  7}  where  I  is 
the  (finite)  set  of  inputs,  Y  is  the  (finite)  set  of  outputs,  S  is  the  finite  set  of  states, 
so  is  the  initial  state,  A  :  S  x  I  -1  5  is  the  next  state  function,  7  :  S  x  I  ->  Y  is  the 
output  function.  An  Extended  Finite  State  Machine  is  an  FSM  where  the  input  and 
output  space  are  not  necessarily  finite  and  can  be  subsets  of  ]Rn. 
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1.  an  Extended  Finite  State  Machine  (EFSM)1  describing  pistons’  behavior; 

2.  a  Discrete  Event  system  (DE)2modeling  torque  generation; 

3.  a  Continuous  Time  system  (CT)  modeling  the  powertrain. 

Powertrain  Model.  The  powertrain  model  is  described  by  a  continuous  time  sys¬ 
tem  model  developed  at  Magneti  Marelli  Engine  Control  Division.  The  model, 
whose  parameters  have  been  identified  and  validated,  contains  phenomena  in¬ 
volved  in  powertrain  oscillations  that  are  of  interest  in  cut-off  control.  Powertrain 
dynamics  are  modeled  by  the  linear  system 


C  =  APC  +  Pu  (1) 

<i>c  —  (2) 

State  (  =  [ae,Ljc,Ljp]T  represents  the  axle  torsion  angle,  the  crankshaft  revolu¬ 
tion  speed,  the  wheel  revolution  speed,  and  <t>c  represents  the  crankshaft  angle. 
The  input  signal  u  is  the  torque  acting  on  the  crank.  The  linearized  powertrain 
dynamics  (1)  is  asymptotically  stable  since  it  models  a  passive  mechanical  sys¬ 
tem,  and  is  characterized  by  a  real  dominant  pole  Ai,  and  a  pair  of  conjugate 
complex  poles  A  ±  jfi,  responsible  for  the  oscillating  behavior. 

Piston’s  behavior.  The  behavior  of  each  piston  in  the  engine  is  abstractly  rep¬ 
resented  by  the  Extended  Finite  State  Machine  shown  in  Figure  1,  where  S  = 
{H,  I,  C,  E}.  The  four  states  of  the  EFSM  are  as  follows. 

-  Exhaust  run  ( H ).  The  piston  goes  up,  expelling  combustion  exhaust  gases. 

—  Intake  run  (/).  During  its  down-run  the  piston  loads  the  air-fuel  mix. 

—  Compression  run  ( C ).  During  its  up  movement  the  piston  compresses  the 
loaded  mix. 

-  Expansion  run  (E).  The  compressed  mix  combustion,  generated  by  a  spark 
signal,  produces  a  sudden  pressure  increase  which  pushes  the  piston  down¬ 
wards. 

The  transitions  of  the  EFSM  occur  when  a  piston  reaches  the  bottom  or  top 
dead  point.  The  guard  condition  enabling  the  transition  is  expressed  in  terms 
of  the  piston  position  <t>  measured  on  the  crankshaft,  considering  the  offset  <pco 
which  corresponds  to  the  angle  the  crank  is  mounted  on  the  shaft.  The  EFSM 
outputs  the  integer  variable  k  which  is  incremented  by  one  at  each  transition. 

Torque  generation.  The  quantity  of  air  entering  the  cylinders  during  the  intake 
run  is  controlled  by  a  throttle  valve  (often  directly  connected  to  the  gas  pedal). 
The  control  system  keeps  the  fuel  quantity  proportional  to  air  load,  so  that 
the  combustion  process  produces  a  minimum  amount  of  waste  and  is  maximally 

2  A  DE  system  is  intended  in  the  sense  of  [8]. 
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Fig.  1.  Hybrid  model  for  a  single  cylinder. 


efficient.  In  electronic  injection  controlled  engines,  the  fuel  quantity  is  determined 
by  the  duration  of  the  injection  phase  that  takes  place  during  the  exhaust  run. 

The  torque  is  generated  during  the  expansion  phase.  Ideally,  spark  timing 
should  occur  at  the  precise  time  the  piston  reaches  the  end  of  its  up-run  in 
the  compression  phase.  However,  since  combustion  takes  a  non  zero  time  to 
complete,  it  is  convenient  to  time  spark  ignition  before  the  piston  concludes 
the  compression  phase.  The  time  for  spark  ignition  is  usually  refered  to  as  spark 
advance,  and  it  is  expressed  in  terms  of  the  angle  the  crankshaft  covers  before  the 
piston  reaches  its  next  top  dead  center.  Spark  advance  is  not  constant.  It  depends 
on  temperature  of  the  cylinders  and  of  the  loaded  mix,  and  on  the  revolution 
speed  of  the  crankshaft.  The  effect  of  spark  advance,  the  other  control  variable 
considered  here,  is  a  modulation  of  the  maximum  value  of  torque  that  can  be 
generated  given  the  quantity  and  quality  of  the  combustion  mix.  If  the  spark 
advance  is  optimal  for  torque  generation,  the  modulation  factor  has  the  value  1, 
otherwise  it  is  positive  but  less  than  one. 

The  generated  torque  is  a  complex  function  of  time  during  the  expansion 
phase,  in  practice  it  is  replaced  by  the  average  value  over  the  interval  of  time 
corresponding  to  the  expansion  phase. 

The  process  of  torque  generation  is  characterized  by  the  delays  between  the 
times  in  which  fuel  injection  and  spark  advance  are  set  and  the  time  in  which 
such  decisions  have  an  effect.  Control  signals  are  then  subject  to  a  transport 
process  which  can  be  represented  by  a  DE  system  which  is  active  at  every  EFSM 
transition.  Such  DE  system,  represented  in  Figure  1  with  dashed  boxes,  receives 
as  inputs: 

-  the  integer  k  (an  output  of  the  EFSM); 

-  the  mass  of  air-fuel  mix  q  €  R+  loaded  in  the  intake  phase; 
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-  a  binary  control  variable  j  E  {0, 1}  which  indicates  whether  or  not  the  fuel 
is  present  in  the  mix; 

-  the  modulation  factor  r  €  [rm;n,  1]  due  to  non  optimal  spark  timing. 

The  DE  system  output  is  the  torque  u(k).  At  the  EFSM  transition  E  ->  H  the 
DE  system  reads  its  inputs  q(k)  and  j(k),  and  stores  in  its  state  z  6  B.  the 
maximum  amount  of  torque  achievable  during  the  next  E  phase,  obtained  by 
the  mix-to-torque  gain  G.  Such  value  is  corrected  at  the  /  -»  C  transition  by 
the  modulation  factor  r(k)  due  to  the  chosen  spark  advance.  The  DE  output 
u(k)  is  always  zero  except  at  the  C  ->  E  transition  when  it  is  set  to  the  value 
stored  in  z.  Between  two  transitions  of  the  EFSM,  occurring  at  times  4  and 
4+i,  the  input  signal  u{t)  to  the  powertrain  model  is  given  by  u(t)  =  u(k)  for 

t  €  [4, 4+0- 

Engine  hybrid  model.  An  engine  is  characterized  by  the  number  of  cylinders, 
most  cars  have  four,  but  there  are  engines  that  have  a  different  number  of 
cylinders3.  The  pistons  are  connected  to  the  crankshaft,  so  that  the  phases  of 
their  behavior  are  related  to  each  other.  The  overall  model  of  torque  generation 
for  a  iV-cylinder  engine  is  then  the  combination  of  N  EFSMs  as  in  Figure  1  and 
of  N  DE  systems  representing  the  behavior  of  each  piston.  The  hybrid  model 
of  the  complete  engine  is  obtained  by  adding  to  torque  generation  model  the 
powertrain  CT  dynamics  (1). 

In  this  paper  we  focus  on  the  most  relevant  case  of  a  4-cylinder  engine. 
Its  model,  referred  to  in  the  rest  of  the  paper  as  Micyi,  has  input  signals 
j  =  {ji,ji,h,h]T  and  r  =  [ri,r2,r3,r4]T  properly  synchronized  with  the  cor¬ 
responding  DE  models;  we  denote  by  Jicyi  and  %icyi  the  classes  of  functions 
IN  ->  {0,  l}4  and  IN  ->  [rmin,  l]4,  feasible  for  j  and  r.  Signal  q  is  instead  shared 
among  the  cylinders.  Without  loss  of  generality,  we  assume  that  in  Micyi 

-  the  initial  EFSM  states  are  5<ji  =  H,  S02  =  I,  S03  =  C,  S04  =  E; 

-  the  crankshaft  offsets  <f>COi  are  0CO1  =  <pC03  —  180°,  0CO2  =  4>COi  =  0°; 

-  the  initial  value  of  the  crankshaft  angle  <4(0 )  is  set  to  zero. 


2.2  The  optimization  problem 

The  optimization  problem  is  to  control  fuel  injection  and  spark  advance  so  that 
vehicle  acceleration  peaks  are  minimized  during  the  cut-off  operation.  Throttle 
closure  produces  a  decreasing  evolution  of  the  manifold  pressure  towards  the 
idle  regime  value.  We  identify  as  the  starting  point  of  the  cut-off  operation  the 
time  t0  =  4  at  which  qa(k)  equals  the  steady-state  air  quantity  with  pedal 
released,  q°a .  We  also  assume  that  before  to  the  injection  signals  were  active,  so 
that  2i(0)  =  £2(0)  =  2:3(0)  =  2:4(0)  =  Gq°.  To  simplify  notation,  we  set  4  =  0 
and  k  =  0. 

3  For  example,  Formula  1  racing  cars  can  have  8,  10  or  12  cylinders.  Fiat  Coupe  2000 
Turbo  has  5. 
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Assuming  vehicle  speed  equal  to  wheel  speed,  vehicle  acceleration  is  a(t)  = 
R  up(t),  where  R  is  the  wheel  radius.  To  isolate  oscillations  from  monotone 
behavior,  the  following  state  transformation  is  applied.  Set 


with  x'  €  It,  x  £  1R2,  Pi  £  IR1*3,  and  P2  6  IR2*3,  where  P  is  obtained  from  the 
eigenvectors  of  Ap.  Rewrite  (1)  as 


where  A  = 


(4) 


Denoting  by  c  £  IR1*2  the  product  between  the  third  row  of  Ap,  the  last  two 
columns  of  P_1  and  R,  the  oscillating  component  of  the  acceleration  can  be 
expressed  as  an  output  of  the  following  linear  system  in  the  reduced  state  x 


x(t)  =  Ax(t)  +  bu(t)  (5) 

a(t)  =  R  tip(t)  =  c  x(t)  .  (6) 

The  objective  of  the  cut-off  control  strategy  is  to  minimize  the  peaks  of  the 
acceleration  a(t )  until  they  are  less  than  a  threshold  of  perception  ath  >  0. 
Consider  the  circle 


Bp  =  {x  £  1R2  :  ||z||  <  p,  p  =  ath\\c\\  ,  (7) 

where  ||  •  ||  denotes  the  Euclidean  norm.  By  asymptotic  stability  of  system  (5), 
when  u(t)  =  0  the  norm  of  x(t)  decreases  over  time  since  d  ,u  =  2XxJ  x  and 
A  <  0.  Therefore,  if  at  some  time  t,  the  state  has  been  driven  to  x(t)  g  Bp,  the 
control  u(t)  =  0  keeps  the  trajectory  in  Bp  and  the  acceleration  a(t)  is  bounded 
above  by  the  acceleration  ath  for  t  >  t.  Cut-off  control  problem  can  then  be 
formulated  as  the  optimization  problem  of  steering  the  state  x  to  the  circle  Bp 
minimizing  the  acceleration  peak.  Once  in  Bp,  fuel  injection  can  be  safely  shut 
off  with  vehicle  oscillations  below  threshold. 

Then  the  cut-off  optimization  problem  can  be  formulated  as  follows. 

Problem  1.  Given  the  engine  hybrid  model  Micyi,  find  j  £  Jicyi  and  r  €  R4 cyi 
such  that 

sup  |a(t)|  .  «  =  min  sup  |d(t)|  (8) 

o<t<T  J-J  j  G  Jicyi  °<t^T 

r  ~  T  re  Ricyl 

'  Dynamics  of  Hybrid  Model  MiCyi  with  C(0)  =  Co  s.t. 
x(0)  =  x0  &  Bp, 

subject  to:  <  x(T)  €  Bp,  (9) 

2i(0)  =  ^2(0)  =  2:3(0)  =  2:4(0)  =  Gq°a, 
q(k)  =  q°,  for  all  k  >  0 

where  x0  =  P2C0,  x(T)  =  P2((T),  a  is  given  by  (6),  the  final  time  T  is  free, 
(Co,0)T  is  the  continuous  state  value  at  the  beginning  of  the  cut-off  operation, 
Bp  is  as  in  (7)  and  q°  is  the  steady-state  air  quantity  with  gas  pedal  released. 
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3  Continuous-time  model  solution 


The  main  difficulties  in  Problem  1  are  that  the  plant  to  be  controlled  is  hybrid 
and  that  the  input  signals  are  bounded.  Our  strategy  is  to  relax  first  the  hybrid 
problem  into  the  continuous  domain,  and  then  to  map  the  solution  back  to  the 
hybrid  domain.  The  relaxed  problem  is  as  follows: 

Problem2.  Given 


U  =  {u  :  [0,  +oo)  — ¥  H  |  u(t)  is  measurable  and  0  <  u(t)  <  M,  Vt  >  0}  (10) 

with  M  =  Gq°  and  q°  the  steady-state  air  quantity  after  pedal  release, 

min  sup  |5(f)|  (11) 

u  £  U  o <t<T 

{x(t)  =  Ax(t)  +  bu(t) 

x(0)  =  xq  &  Bp  (12) 

\m\\=P 

where  |5(-)  |  is  as  in  (6)  and  T  is  finite. 

Let  R(9)  £  1R2  be  the  6  rotation  matrix  in  IR2  and  let  (-)j.  be  the  +n/2  ro¬ 
tation  operator  defined  as  z±  =  R(^)z  for  any  z  £  IR2.  Let  xm  =  —A~lbM 
be  the  equilibrium  point  with  u  =  M  and  v  =  —  ||arM||-1(£Af)-L'  In  our  pre¬ 
vious  paper  [1],  it  was  shown  that  there  exists  u  6  U,  which  steers  the  state 
of  (5)  to  the  origin  along  a  straight  line,  provided  that  xq  is  inside  the  do¬ 
main  T>m  =  Cm/Av ,  where  Av  =  {x  £  R2 1  (vTx)(bTR(-j)x)  >  0}  and  Cm  — 
{x  £  IR2  |  xTR(— t[)(Ax  +  bM)  <  0}  (see4 Figure  2).  During  such  motion  the 
cost  function  |a(-)|  monotonically  decreases  to  zero.  However,  the  time  to  reach 
Bp  becomes  unbounded  when  xq  is  such  that  vtxq  ->  0_ . 

Propositions.  Let  A  =  inf y  £  ^  sup0<t<T  |d(t)|  subject  to  (5).  Consider 


f  0  if  vTx  >  0 
\M  if  vTx  <  0 

/  -  \T^jl)bX  if  ( R(0)v)Tx  >  0 
|  0  if  ( R(9)v)tx  <  0 


if  x  g  VM 


•  (13) 

if  x  £  T>m 


If  (cxM)(cb)  >  0  then  (13),  with  9  £  (0,  cos_1(|6Tu|  ||6||-1))  is  an  optimal  so¬ 
lution  to  Problem  2,  i.e.  A  =  sup0<t<T  |a(t)|  with  u  as  in  (13).  Otherwise,  no 
optimal  solution  in  finite  time  exist,  but,  for  any  e  >  0  exists  9  >  0  such  that 
control  (13)  steers  xq  to  Bp  in  finite  time  with  sup0<4<T  |a(f)|  —  A  <  e. 

For  all  models  of  existing  cars  available  to  us,  (cxm)(c6)  >  0  was  verified  so  (13) 
was  actually  optimal.  Figure  2  reports  the  closed  loop  phase  space  under  con¬ 
trol  (13)  with  ( cxM)(cb )  >  0  and  9  =  0.  Let  ip(u,xo,t)  denote  a  trajectory  of  (5) 

4  Cm  has  center  in  ^R(^)b  and  radius  Its  boundary  contains  the  origin  (with 

tangent  collinear  to  vector  6)  and  im  =  —A~1bM,  the  equilibrium  point  with  u  =  M. 
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Fig.  2.  Optimal  trajectories  for  the  relaxed  control  problem.  If  x  T>m,  u  is  equal  to 
either  M  (continuous  line)  or  0  (dotted  line).  Otherwise  0  <  u  <  M  (dash-dot  line). 


and  let  71(t,x0)  =  {z  £  Ii2|3u  £  U,  s.t.  z  =  ip{u,x0,r)}  be  the  reachable  set  in 
a  specified  time  r  from  an  initial  point  xo.  We  shall  prove  Proposition  3  analyz¬ 
ing  the  properties  of  7 Z(t,  x0).  Direct  application  of  basic  elements  of  trajectory 
analysis  gives  the  following  results. 

Proposition  4.  (Proposition  5.1.1  in  [9]).  Given  system  (5)  with  x(0)  =  xq  and 
uGU,  the  reachable  set  TI(t,  x0)  is  convex  and  compact. 

Propositions.  (Theorem  8.1.1  in  [9]).  Given  system  (5)  with  x(0)  =  x0  and 
u  £  U,  if  x  €  7 Z(t,x0)  then  x  can  be  reached  from  x0  in  time  r  by  means 
of  a  trajectory  that  corresponds  to  a  bang-bang  control  with  a  finite  number  of 
switchings,  that  is  u{t)  £  {0 ,M}  for  any  t  £  [0,r]  and  u(t)  has  finite  number  of 
discontinuity  points  in  [0,r]. 

Proposition  6.  (Corollary  2-4.3  in  [9]).  Letip(u,  x0,t)  be  a  trajectory  of  (5)  that 
corresponds  to  the  feasible  input  u(-)  £  U,  from  xo  to  xT  =  ip(u,xo,r).  Suppose 
that  xT  is  not  an  interior  point  of  7Z(t,  xq).  Introduce  the  adjoint  variables  p  £ 
]R2  and  Hamiltonian  H(ip,p,u)  =  pT{Ax  +  bit).  Then,  there  exists  a  trajectory 
p(-)  such  that  p  =  -ff  =  -ATp  with  p(t)  ±  0  for  all  t  £  [0,r]  and 

min  H  (tp(u,  x0,  t),p(t),u(t))  =  H(ip(u,x0,t),p(t),u(t))  =  v  (14) 

u£U 

for  almost  all  t  €  [0,  r]  with  v  a  constant. 

Corollary  7.  Let  ip(u,x0,t),p(t),u(t)  satisfy  the  minimum  condition  (14),  then 
u{t)  =  M,  if  bTp(t )  >  0,  and  u(t )  =  0,  if  bTp(t)  <  0.  For  any  time  interval  of 
length  less  than  or  equal  to  u(t)  has  at  most  one  discontinuity  point. 
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Proposition  8.  Let  ip(u,  Zo ,t)  be  the  solution  of  (5),  from  z0,  with  u  as  in  (13). 

(1)  IfT  >  0  is  a  point  of  local  maximum  for  ]a(f)|  andu(t )  is  continuous  att  =  t, 

then  u(t)  G  {0,M}  and  xT  =  tp(u,xo ,t)  is  such  that  cA  (xT  -  =  0. 

(2)  //tl,T2  >  0  are  two  successive  local  maxima  for  |6(t)|,  then  T2  —  t\  <  n/p 
(where  equality  holds  if  u{t)  is  continuous  at  7i  and  t^),  and  |a(ri)|  >  |a(z2)|. 

Using  Proposition  8,  we  can  concentrate  only  on  reachable  sets  in  time  r  <  J 
to  prove  optimality  of  (13). 

Corollary  9.  Given  system  (5)  and  input  class  U,  points  on  the  boundary  of  the 
reachable  set  1Z(t,  Xq),  with  r  <  are  reached  from  Xq  by  means  of  a  bang-bang 
control  u  :  [0,  r]  — »  {0,  M}  with  at  most  one  switching. 

The  boundary  of  the  reachable  set  for  r  <  is  readily  obtained  as 

dlZ(T,x0)  =  {x  G  R2  |z  =  70(a)  V  x  =  with  a  G  [0,t]}  , 

where  7o(-)>7m(-)  are  the  parametric  curves 

70(a)  =  eArxo  +  (l-  eA(T_o))  xM,  7 m(o)  =  eArx0  +  (eA(-T~a)  -  eAr^j  xM 

corresponding  to  u(t)  =  0  (u(t)  =  M, resp.)  for  t  G  [0,  a)  and  u(t)  =  M  ( u(t )  =  0, 
resp.)  for  t  €  [a,  t].  Curves  7o(-)>  7m(-)  are  of  class  C°°  and  dl Z(t,  x0)  is  closed  for 
7o(r)  =  7m(0)  =  eArx0  =  x(0)  and 7 M(r)  =  7o(0)  =  eAr (x0-xm)+xm  = 
However,  curve  3TI{t,xq)  is  not,  in  general,  of  class  C1  at  x^  and  x^M\  since 

^  =  AeA^T-^XM  and  ^  =  -AeA{-T~a)xM  ■  (15) 

da  da 

Proof  of  Proposition  3.  We  shall  first  consider  the  case  6  =  0  in  (13)  and  discuss 
later  the  introduction  of  a  6  ^  0.  Let  ip(u,xo,t)  be  a  trajectory  of  system  (5) 
corresponding  to  control  u  as  in  (13),  with  6  =  0,  from  an  intial  condition  zo- 
Note  that,  for  any  t  such  that  ip{u,  XQ,t)  $  T>m,  ip{’)  is  of  class  Cl . 

For  particular  x0,  |a(-)|  is  monotonic  along  ip(u,  xo,t),  from  zo  to  (0, 0)T,  and 
hence  achieves  its  maximum  at  xq.  One  can  easily  obtain  that,  the  region  Q  of 
such  initial  conditions  contains  T>m  and  is  bounded  as  follows:  if  (czm)(c5)  >  0, 
by  lines  cA(x  -  xm)  =  0,  cAx  =  0,  and  the  two  trajectories  with  u  =  M 
passing  resp.  through  (0, 0)T  and  xa,  with  xa  s.t.  cA(x„  -zm)  =  0  and  cxa  =  0; 
otherwise,  if  (czm)(c5)  <  0,  by  lines  cA(z-zm)  =  0,  vTx  =  0,  and  the  trajectory 
with  u  =  M  passing  through  (0, 0)T. 

If  xo  Q,  |a(-)|  achieves  a  maximum  along  ip(u,xo,t),  for  some  time  r  > 
0  such  that  zT  =  ip(u,x0,T)  satisfy  either  cA(xT  —  zm)  =  0  or  cAxT  =  0. 
Optimality  of  control  (13)  is  proved  by  showing  that  at  time  r,  any  other  control 
u  G  U,  different  from  u,  achieves  a  value  of  |a(-)|  which  cannot  be  lower  than 
\ci/)(u,x0,t)\: 

\ciI>(u,xq,t)\  <  \cijj(u,xo,T)\  <  sup  \cip(u, Xq,  t)|  for  any  u  ^  u  G  U  .  (16) 

0  <t<T 
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Fig.  3.  Reachable  sets  for  final  conditions  on  the  locus  of  points  maximum. 


Such  inequality  will  be  proved  analyzing  the  reachable  set  1 Z(t,  x0)-  From  Propo¬ 
sition  8,  we  have  r  <  jt.  Consider  xq  g  T>m ■  Two  cases  are  in  order  either:  (a) 
u(t)  has  a  discontinuity  point  for  some  f  €  [0,r],  or  (b)  u(t)  is  constant  in  [0,r]. 

(a)  We  first  show  that,  in  this  case,  ^f(r)  is  collinear  to  the  line  s  passing 
through  xT  and  parallel  to  AeA(-T~T^XM-  Consider  u(t)  —  0  for  i  G  [0,f)  and 
u(t)  =  M  for  t  G  [f,r].  We  have  ^f(-r)  =  AeM  ( x0  -e~AfXM)-  But,  since 
from  (13)  the  operator  eAf  steers  point  x0  to  the  swicthing  line  v'x  —  0,  e~Af 
maps  xm  (which  lies  on  v'x  =  0)  to  a  vector  collinear  to  x0.  Then,  (r) 
is  parallel  to  AeA^T~TS)XM-  If,  instead,  u(t)  =  M  for  t  G  [0,  f)  and  u{t)  —  0 
for  t  G  [f,r],  ^(r)  =  AeAr  ((x0  -  %)  +  ^~Atxm)  and,  analogously  to  above, 
e~Ar  maps  xm  to  a  vector  collinear  to  xo  —  xm-  Hence,  in  both  cases  (t)  is 
collinear  to  s.  Furthermore,  from  (15)  one  can  easily  obtain  that  line  s  is  also 
tangent  to  81Z(t,xo)  at  xT.  Due  to  the  convexity  property  of  the  reachable  set, 
TZ(t,xo)/xt  is  all  located  on  the  same  side  of  s,  namely  the  one  which  does  not 
contain  the  origin.  Since  these  arguments  are  valid  for  any  final  time,  it  follows 
that  TZ(t',Xo),  with  t'  <  jj,  is  always  tangent  to  ip(u,xo,t)  at  t  —  t'. 

Now,  since  by  construction,  |d(-)|  is  maximal  along  ip(u,xo,t)  at  t  =  r,  c  is 
perpendicular  to  AeA(T~T^XM  and  s  can  be  written  as  (cxT)  c(x  —  xT)  =  0.  Since 
Vx  €  7?.(t,  xo)/xt,  (cxt)  c(x  —  xr)  >  0,  condition  (16)  holds  for  any  u^u. 

(b)  If  instead  u(t)  is  constant  in  [0,  r],  necessarily,  xT  equals  either  x^  or 
xJM)  and,  hence,  dTZ(j,  xq)  is  not  of  class  C 1  at  xT.  Evaluating  from  (15)  the 
tangent  vectors  to  7o(-)  or  7 m(-)  at  xr,  one  obtains  a  direction  parallel  to  b 
(with  a  =  r)  and  a  direction  parallel  to  AeAr xm  (with  a  =  0).  Further,  it  is 
easy  to  check  that,  for  the  same  xr,  the  latter  ranges  from  the  line  parallel  to 
b  (as  x0  -¥  xT)  and  the  line  perpendicular  to  cT  (as  vTxo  — >  0).  Vector  b  is  not 
collinear  to  (r)  expect  for  xT  lying  on  vTx  =  0.  Then,  also  in  this  case,  we  can 
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conclude  that  R(t,xo)/xt  on  the  side  of  c(x  -  xT)  —  0  opposite  to  the  origin, 
and  'ix  €  TZ(t,xo)/xt,  ( cxT )  c(x  —  xT)  >  0.  Hence,  (16)  holds. 

Moreover,  suppose  now  that  x0,t)  enters  T>m  with  u  =  0,  through  vTx  = 
0.  Consider  t  =  min{t|(wTi/j(0, 2:0,7-)  =  0}.  The  boundary  of  the  set  of  points 
reachable  in  time  t  <  t  is  given  by  curves  7^(0),  eAax0  +  (I  —  eAa)xM  and 
eAax0  =  ip(0,xo,a)  with  a  £  [0,  r].  Hence,  any  other  control,  which  steers  x0  to 
the  origin,  cannot  achieve  a  value  of  the  cost  function  smaller  than  |cxT|,  since 
curve  ip(0,xo,a)  with  a  €  [0,r]  can  never  be  crossed  for  it  is  a  piece  of  the 
boundary  of  the  reachable  set. 

Control  (13)  is  not  an  optimal  solution  to  Problem  2  for,  as  discussed  in  [1], 
it  does  not  provide  finite  time  convergence  to  Bp  for  xq  £  T>m  s.t.  vTx0  =  0. 
Rotating  switching  line  vTx  =  0  by  a  9  >  0,  convergence  to  Bp  within  a  finite 
time  is  achieved. 

If  ( cxM)(cb )  >  0,  u  as  in  (13),  with  9  £  (0, cos_1(|6Tu|  ||6||-1),  is  again 
an  optimal  solution  to  Problem  2.  In  fact,  since  the  center  of  Cm  belongs  to 
(R(9)v)tx  =  0  with  6  —  cos_1(|6Tu|  ||6||_1))  and  tj)(0,xo,t)  is  convergent  to 
the  origin,  for  any  6  in  the  interval  above  x(t)  =  ip(0,xo,t),  with  xq  £  X>m 
s.t.  (R(9)v)Tx 0  >  0,  reaches  line  (R(9)v)T x  =  0  in  a  point  contained  in  T>m- 
For  ( cxM)(cb )  >  0,  |a(-)|  monotonically  decreases  along  ip(0,xo,t)  and  hence 
u  is  optimal.  Conversely,  if  (cxm)(c6)  <  0,  for  any  x0  £  Rm  between  lines 
cAx  =  0  and  vTx  =  0,  |a(-)|  monotonically  increases  along  ip(0,xo,t).  Let 
6ca  =  cos-1(|cJ4u|  ||c^||-1)  denote  the  angle  between  lines  cAx  =  0  and  vTx  =  0. 
For  any  9  €  (0 ,6ca),  given  xQ  €  T>m  s.t.  vtxq  =  0,  |a(-)|  is  maximum  at 
ip(0,xo,6/(i)  on  line  (R(9)v)Tx  =  0,  and 

lim  {  max  |cV'(0,a:o,t)|}  =  lim  \ctp[0,xo,9/u)\  =  Iczol. 

9-+0+  te[o,T]  v  9-»0+ 

Hence,  given  any  9i  €  (0,  9ca),  one  can  always  find  9  £  (0,  9ca)  such  that 
\c^(0,xo,9/n)\  <  \cip(Q,x0,6i/fi)\.  For  any  xo  S  T>m  which  can  be  steered 
to  ( R(9)v)T x  =  0  with  u  =  0,  an  upper  bound  for  \ap(0,Xo,9/n)\  —  |cxo|  is 
given  by  | c  —  I'j  «x|~||6||.  Hence,  for  any  e  >  0,  choosing  9  £  (0, 8ca) 

if  | c(e~A^L  -  /j  ux|y  ||6||  <  e,  or  9  €  (0,#c)  with  9C  solution  to  equation 

|c  (e~A~£  -/)  v± | ~ ll&H  =  e,  yields  sup0<t<T  \cip(u,x0,t)\  -  A  <  e.  Q.E.D. 

4  Hybrid  system  control  scheme 

Control  law  (13)  is  clearly  not  feasible  for  the  hybrid  model  Micyi ,  introduced 
in  Section  2,  for  three  main  reasons: 

(a)  available  torque  is  limited  to  0  and  to  interval  [rminM,  M]\ 

(1 b )  there  is  a  delay  between  the  time  of  injection  and  the  time  at  which  the 
corresponding  torque  is  generated; 

(c)  torque  generation  has  to  be  synchronized  with  the  powertrain  dynamics. 
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Our  solution  to  point  (a)  is  to  use  bang-bang  control  everywhere  in  the  state 
space,  introducing  an  appropriate  switching  surface  a(x)  =  0.  To  simplify  dis¬ 
cussion  of  point  ( 6 ),  set  x(k)  :=  2(4)  and  u(k)  :=  tt(4)  for  all  k.  Control 
signal  ji(k),  at  current  time  tk  corresponding  to  an  E  H  transition  of  the 
i-th  cylinder,  will  produce,  at  the  next  expansion  run  of  the  i— th  cylinder,  the 
torque  u{k  4-  3).  Such  signal  will  feed  the  continuous  system  during  the  interval 
[4+3,  4+4),  steering  the  state  from  x(k  +  3)  to  x(k  +  4).  A  prediction  of  x(k  +  3) 
is  obtained  from  x(k)  by  a  forward  integration  of  (5).  Because  of  the  synchro¬ 
nization  constraint  mentioned  in  (c),  switchings  of  the  torque  u  cannot  occur, 
in  general,  exactly  on  a(x)  =  0.  This  issue  is  the  main  difficulty  for  devising  a 
robust  control  strategy  and  is  the  main  subject  of  this  section. 

If  it  is  predicted  that  x(t)  will  cross  the  switching  surface  a(x)  =  0  at  some 
t  €  (4+3, 4+4),  one  can  decide  to  switch  ji  either  at  tk  or  4+i-  In  certain 
conditions  if  switching  is  anticipated,  an  acceleration  peak  may  be  introduced. 
For  this  reason,  we  decide  to  switch  always  at  time  tk+ 1,  i.e. 


ji{k)  =  {  J  0  if  a(x{k  +  3))  >  0 
1  if  a(x(k  +  3))  <  0 


if  x(k  +  3)  e  Bp 
if  x(k  +  3 )  g  Bp  . 


(17) 


Control  law  (17)  may  fail  to  switch  injection  to  0  when  state  x  enters  Bp, 
and  possibly  go  into  a  limit  cycle.  If  u(t)  =  M,  for  t  £  [4+3, 4+4],  there 
may  be  crankshaft  speeds  such  that  delay  4+ 4  -  4+3  causes  the  trajectory 
ip{M,  2(4+3),  t)  to  intersect  Bp  leaving  both  decision  points  x(k+ 3)  and  x(k+4) 
outside  Bp.  A  necessary  condition  for  this  not  to  happen  is  to  have  ||a?  (4+4)11  < 
||2(4+3) ||-  The  locus  of  points  which  under  control  u  —  M  increase  their  norm 
in  time  A  is 

Na=  {2  |  ||2||  <  \\eAA(x  -  xM) +xM\\)  ■  (18) 

Suppose  there  exist  two  distinct  intersections  of  the  boundaries  of  Bp  and  Na  , 
namely  2^  and  x^\  as  shown  in  Figure  4.  Let  ipM-(x,a)  =  e~j4'r(2— 2 m)+xm 
be  the  point  such  that  ip(M,ipM-(x,a),  ^)  =  2.  Let  V’c^(-)  and  ipi2\-)  be  the 

curves  ^(a)  =  iI)M-{xa,q),  and  tpi2\a)  =  ipM-{xB,a),  with  a  £  [~f,7r], 
where  2 a,  xb  are  such  that  vTx a  =  0,  vTxB  =  0,  vJ_(xa  -  2 m)  <  0,  v^(xB  — 
2m)  <  0  and  2^  €  Vc^O),  x^  £  V’c^(-)-  Let  xB  =  t[>c2\ tt),  and  define  the 
switching  function  in  (17)  as 


f  (uT6/||6||)  1vTx  if  (6±T2  <  b±T xB)  V  ( b±,Tx  >  b_iTxB) 

aix)  —  4  C^/llWhTe,.  _  if  &xT2b  <  b±Tx  <  bj_TxB 

(2)n 


(6/11611)^(2-2') 

(  with  2'  s.t.  (6xT(2  —  2')  =  0)  A  (  x'  £  tpc*1) 


Control  ji(k)  in  (17)  switches  on  the  curve  described  as  follows  (see  Figure  4): 
the  half  line  vTx  =  0  with  v^_{x  —  xp)  <  0,  and  xp  =  —pv±\  the  arc  of  the 
boundary  of  Bp  from  xp  to  x(2>;  the  arc  of  ipi2\-)  from  2^  to  xB‘,  the  half  line 
vTx  =  0  with  vj_(x  —  x d)  >  0.  Such  choice  can  prevent  from  the  existence  of 
limit  cycles  as  illustrated  in  the  following  lemma. 
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xi 

Fig.  4.  Derivation  of  the  hybrid  switching  surface. 


Lemma  10.  If  ||2Djif||  >  p,  there  exists  a  uCmin  finite  such  that,  substituting  A 
in  (18)  for  Amax  =  (with  u>Cmin  in  rpm),  if  a  trajectory  of  system  Micyi 

under  control  law  ji(k)  as  in  (17),  with  ivc(t)  >  u)cmin  =  V£  >  0,  intersects 
a(x)  =  0  trough  the  arc  ipi2\a)  with  a  £  [0,7r]  at  some  time  t  £  [4+3 ,  4+4], 
then  x(t)  £  Bp  for  all  t  >  4+4  + 

Proof.  Note  that  N a  —  No,  where  No  is  the  disk  with  boundary  passing 

by  both  xm  and  the  origin  0  and  center  in  ~^b.  From  hypothesis  |  xm\  >  P 

3xN,  x ^  £  1R2,  with  x^  ^  x^ .  (20) 

By  continuity  and  monotonicity,  there  exists  a  finite  time  Amax  i  >  0  and  cor¬ 
respondingly  a  speed  ujcmini  =  ^30  - ,  such  that  for  all  A  <  Amaxi ,  (20)  holds 
and  (19)  is  well-defined. 

Under  the  hypotheses  of  the  Lemma,  all  points  x(k  +  4)  belong  to  the  set 
<Sa  —  jz  :  x  =  eAS^2\a),  with  ae[0,7r]  and  S  £  [0,  A]  j  ,  (21) 

with  boundaries:  with  a  £  [0, 7r] ;  ip^2(')>  where  (a)  =  cAAipi2\a), 

with  a  £  [0,7r];  ip(0,xp,S),  with  5  £  [0,  A];  ip(0 ,xb,S),  with  <1  £  [0,Z\]. 

If  x(k  -I-  4)  €  Bp,  ji(k  +  1)  =  0  and  x(t)  £  Bp  W  >  4+4-  If  x(k  +  4)  $  Bp, 
ji( fc  + 1)  =  1.  If  Sa  n?/’c1)(-)  =  0,  then  the  trajectory  ip(M,  x(k+ 4),  t)  originating 
at  x(k  +  4)  under  u(t)  =  M  enters  Bp  through  the  arc  from  to  xi2\  Since 
|  xm |  >  P,  ip(M,x(k  +  4 ),t)  reaches  Bp  at  time  tp  <  tk+i  + 

By  construction  there  exists  a  K  >  k  +  4  such  that  x(K  —  1)  (1  Bp  and 
x(K)  £  Bp,  since  x(K  -  1)  ^  Na,  with  t^_1  <tp  <  tg.  Consequently  injection 
switches  to  zero,  and  x(t)  £  Bp,  Vi  >  tp.  linM->o  ^/lO)  ~  lim^i->o  Sa  =  (•) 
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Necessarily  =  0.  By  continuity  and  monotonicity,  there  exists  a  finite 

time  Amax  >  0  with  Amax  <  Amax l  and  correspondingly  a  speed  u>Cmin  =  3777 

such  that  for  all  A  <  Amax  Sa  H  V^(-)  =  0-  Q.E.D. 

To  find  Amax  of  Lemma  10,  we  derive  a  function  f(A)  which  is  positive  if 
Sa  =  0,  negative  otherwise.  We  first  determine  the  trajectory  where 
ipiA\a)  =  tpM-(xA,ot),  with  a  €  [0, 7r] ,  and  vtxa  =  0  such  that  is 
tangent  to  at  point  xa  =  ^ («d)-  At  point  xa 

JJSM  //a  (22) 

QC—CtA. 

Condition  (22)  is  satisfied  for  aA  =  ftA+ cos-1  vj_  vers  (caaxm  —x m)-  Consider 
x^a  =  ^H^a),  with  =  cos-1  v vers  ( xa ),  and  define  f(A)  =  ||x^  — 
xM\\  —  || xa  —  xm ||-  Control  ji  does  not  lead  to  limit  cycles  when  crossing  1//^  if 

f{A)  =  Ha;^  -  xM\\  -  ||xa  -  xm\\  >  0.  (23) 

Convergence  of  the  trajectories  intersecting  the  switching  surface  on  ipi is  ad¬ 
dressed  in  the  previous  lemma.  However,  we  need  to  prove  convergence  for  all 
initial  conditions. 

Let  us  compare  the  trajectories  when  intersecting  the  line  vTx  =  0,  which 
is  the  optimal  switching  surface  for  the  continuous  case.  In  the  hybrid  case,  the 
switching  occurs  with  some  delay  due  to  the  discretization  of  the  decision  points. 
There  are  two  cases  to  analyze:  a)  v^_x  <  0,  i.e.  the  intersection  is  to  the  left  of 
Bp,  b)  v^(x  —  xm)  >  0,  i.e.the  intersection  is  to  the  right  of  Bp. 

In  both  cases,  we  can  bound  the  difference  between  the  value  of  the  norm 
of  the  points  on  the  optimal  trajectory  and  those  corresponding  to  the  hybrid 
control  law.  We  can  also  compare  the  performance  of  the  hybrid  control  law  with 
respect  to  accelerations  peaks.  Note  that  since  the  switchings  occur  at  different 
points,  we  compare  the  points  on  the  next  intersection  on  the  optimal  switching 
line  vTx  =  0,  to  be  able  to  compare  norms. 

Let  xmo  be  such  that  vtxmo  =  0,  with  v^xmo  <  0.  Consider  the  point  x$0 
reached  under  control  u  =  M  for  A  seconds,  i.e.,  the  point  that  corresponds  to 
the  switching  of  control  occurring  as  far  as  possible  from  the  optimal  switching 
surface.  The  hybrid  trajectory  then  reaches  vTx  =  0  at  point  x$0  under  control 
u  =  0,  that  is 


■  xm)  +  xm, 


\eAicos' 


-1  vTvers(«VJ~)\  (2) 
X  M0  )  XM0 


Let  xfj{)  =  eA  £  xmo  be  the  point  reached  by  the  continuous  trajectory  from 
xmo  ,  we  define 

w°(xmo,A)  =  ||x^0||  -  ||x$0||,  w°a(xMo,  A)  =  \cy±\e~iaaw°(xMo,A), 
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the  increase  in  norm  due  to  non  optimal  switching  and  the  corresponding  increase 
in  the  peak  following  the  transition,  where  ac  =  cos~1(vTy). 

Let  xom  be  such  that  vtxqm  =  0  and  v\{xq m  —  %m)  >  0,  and  anal¬ 
ogously  to  the  previous  case,  consider  the  points  x^  =  ip(M,  Xqm,  ~)  and 
x<om  =  V’(O)  xom,  A)  respectively  on  the  continuous  and  on  the  hybrid  trajectory, 
the  latter  subsequently  reaches  x^h  =  ip(M,x {fy,  cos-1  ),  and  with  the 
same  meaning  we  define 

wm(x0m,A)  =  ||43i||  -  ||4mII,  w^(x0m,A)  =  \cy±\e~iacwM(x0M,A). 

The  two  functions  vj°(xmo,  A)  and  wM (xom ,  A)  bound  the  increase  in  norm 
due  to  the  late  switching  for  the  u  =  M  u  =  0  transition  and  for  the  u  =  0  -¥ 
u  =  M  transition  of  torque  value  respectively.  Not  surprisingly,  both  functions 
are  monotonically  decreasing  with  respect  to  HxmoIUI^oaHI  and  ojc  =  that  is 
the  increase  in  norm  is  less  for  high  revolution  speeds  and  for  initial  conditions 
that  are  far  from  Bp. 

Now  we  are  ready  to  discuss  the  convergence  of  the  control  law.  Here  we  have 
to  show  that  the  trajectories  originating  from  points  away  from  Bp  tend  towards 
Bp.  To  do  so,  we  show  that  the  norm  of  two  consecutive  intersection  points  of 
the  same  trajectory  under  the  hybrid  control  law  on  vTx  =  0,  vx(x  —  xp)  >  0 
decreases.  Because  of  the  monotonic  behavior  of  w°(xmo,A)  and  wM  (x0m,A), 
the  worst  initial  condition  is  the  closest  to  the  origin  which  may  not  switch 
between  ipi1'1  and  To  identify  such  initial  condition,  consider  figure  5. 


Fig.  5.  Limiting  trajectory  and  Parameters  ranges. 


The  trajectory  obtained  by  back  integration  from  xa  with  torque  u  =  M 
switches  to  u  =  0  at  some  point  xs  between  vTx  =  0  and  vTx  =  0,  where 
v  =  e~XAeAAv.  The  worst  point  is  xs  =  with  €  [0, it] 
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solution  to  vT^]  (a)  =  0.  In  fact  points  on  vTx  =  0  correspond  to  a  switching 
occurring  with  the  maximum  delay  A  with  respect  to  the  ideal  switching.  Now, 
let  x =  e~AAx^^  be  the  point  on  vTx  =  0  from  which  the  latest  switching 
from  u  =  0  to  u  =  M  leads  to  xa-  All  other  points  on  vTx  =  0  with  0  < 
vf_x  <  vj_x^2^)  fall  into  Bp  and  are  characterized  by  Lemma  10.  Let  x[^  be  the 
point  on  vTx  =  0  after  a  late  switching  from  xa,  then  ||x^-2^  ||  —  ||a:^||  bounds 
from  below  the  decrease  in  norm  on  the  trajectory  between  two  consecutive 
intersection  points  with  vTx  —  0,  v^_(x  -  x^2>)  >  0,  due  to  the  way  we  picked 
the  switching  surfaces  and  xa •  If  indeed 

Il4"2)l|-Il43)ll  =  Il4_1)ll^  -  \\xA\\e^-w°(xA,A)  >  0  (24) 

then,  all  the  other  initial  conditions  farther  than  x^2'1  from  the  origin  yield 
trajectories  with  decreasing  norms,  and  the  control  law  is  convergent. 

In  the  end,  control  law  ji  is  convergent  for  all  uc  >  ^ ,  if  A  is  such  that 

Cl  dM~A  A  dBp  ±  0,  i.e.  if  3  x^p ,  x[2^  €  1R2  so  to  construct  a(x)  as  in  (19), 
C2  limit  cycle  condition  (23)  holds, 

C3  norm  convergence  condition  (24)  holds. 

Performance  of  the  hybrid  control  law  with  respect  to  acceleration  peaks  can 
be  compared  to  the  continuous  one. 

Proposition  11.  For  any  choiche  of  the  parameters,  such  that  conditions  Cl, 
C2,  C3  are  satisfied,  and  (cxm)(c6)  >  0,  there  exists  a  />a  >  0  such  that: 

Given  xo  with  ||a;o||  >  pA^~~ ,  let  x  =  ip(u,xo,t),  with  t  e  [0,T]  and 
u  as  in  (13),  be  such  that  maxte[0,r]  |ct/»(ii(m),  xo,t)\  =  \cx\.  Let  T  be  such 
that  ip(u,xo,T)  €  dBp,  with  u  given  by  M-$cyi  under  control  ji(k).  Let  x  = 
ip(u,xo,t),  with  t  €  [0,  T\,  be  such  that  maxtgj0  ^  \ap(u,xo,t)\  =  \cx\,  and  let 
xv  =  xf(u,xo,tv),  with  tv  €  [0,7r/p]  be  such  that  vTxv  =  0.  Then,  if  vTx o  <  0 

0  <  \cx\  -  \cx\  <  w°(xv,Amax)  <  w°(-pAV±,Amax),  (25) 

where  Amax  —  — — .  If  vTx0  >  0 

“-'em  i  n 

0  <  \cx\  -  |cm|  <  w™(xv,Amax)  <  w™(pAV±,Amax).  (26) 

In  particular  ji(k)  is  optimal  for  Problem  1,  i.e.  \cx\  —  \cx\  =  0  if  x o  belongs  to 
either  Pi  =  {a;  |  vTx  <  0,  yT(x  -  xm)  <  0}  or  Pi  =  {a;  |  vTx  >  0,  yTx  >  0}. 

5  Experimental  Results 

The  proposed  cut-off  control  strategy  has  been  implemented  and  tested  at 
Magneti-Marelli  Engine  Control  Division  on  a  commercial  car,  a  16  valve  1400 
cc  engine  car  equipped  with  drive-by-wire  electronics.  The  engine  control  elec¬ 
tronics  is  a  4LV  Magneti  Marelli  on  board  computer  based  on  a  25MHz  32-bit 
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Althair  Motorola  microprocessor  with  fixed  point  arithmetic  unit.  The  experi¬ 
ment  was  carried  out  driving  the  car  in  the  test  ring  and  measuring  the  important 
parameters  and  variables  that  determine  the  performance  of  the  control  strategy. 


5.1  Model  Parameters 


The  continuous  powertrain  dynamics  of  the  car  is  described  by 


0 

1 

-7.556' 

0 

Ap  = 

-448.1 

-5.186 

30.87 

,  &p  = 

15.05 

3.042 

.02773 

-.2105 

0 

and  have  dominant  pole  Ai  =  —0.05460  and  complex  poles  A  ±  jfi  =  —2.671  ± 
j'21.54,  where  the  parameters  of  the  model  were  carefully  identified  on  the  actual 
engine.  The  output  map  from  states  £  =  [ae,wc,uip]T  to  the  vehicle  acceleration 
a  (in  meters  per  square  second)  is  cp  =  [.8022,  .007313,  -.05525].  The  maximum 
torque  achievable  when  the  engine  is  idle  with  spark  advance  r  =  1,  is  M  =  12.41 
Nm.  The  state  space  transformation  matrix 


P  = 


0.05155 

20.83 

0.1596 


0.04924  7.252 

0.12780  -0.5979 
-0.9517  7.195 


allows  us  to  rewrite  the  powertrain  dynamics  in  the  uncoupled  form  (4)  : 

[tf,  c]  =  [-1.857 10"3,  3.726 10~2,  -2.523 10"3]  . 

The  acceleration  perception  threshold  was  set  to  0.03  the  acceleration  due  to 
gravity.  Hence  p  is  7.872. 


.7410 

1.923 

-14. 


5.2  Convergence  Analysis 

Before  starting  the  experimentation  of  the  proposed  control  algorithm,  a  corner 
analysis  with  respect  to  the  vehicle  inertia  momentum  J2  was  carried  out,  in  or¬ 
der  to  establish  the  minimum  crankshaft  speed  ucmin  for  which  (17)  converges. 
Figure  5  reports  the  minimum  crankshaft  speed,  obtained  from  conditions  Cl, 
C2,  C3,  for  a  given  J2  and  for  spark  advance  modulation  factor  r;  in  {0.6, 0.8, 1}. 
It  is  interesting  to  note  that,  acting  on  the  spark  advance,  one  can  reduce  sub¬ 
stantially  Ucmin ■  For  the  identified  value  J2  =  73.95,  we  have  wcm,n  ~  39 Qrpm, 
356 rpm,  329 rpm,  respectively  for  n  =  1,  0.8,  0.6. 

To  prevent  engine  from  stopping,  cut-off  strategies  are  usually  not  applied 
for  loc  <~  lOOOrpm.  With  the  identified  parameters,  for  ujc  =  lOOOrpm,  f{A)  ~ 
8.22,  ||x^~2)||  -  llx^  'H  ~  7.92,  hence  convergence  of  (17)  is  ensured. 
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5.3  Discussion 

The  cut-off  control  strategy  is  applied  after  the  accelerator  pedal  is  released 
and  the  manifold  pressure  is  equal  to  300  mbar.  A  simple  Leunberger  observer 
is  used  to  estimate  the  state  of  the  powertrain’s  continuous  dynamics,  from 
which  the  oscillatory  components  x  are  derivered.  The  initialization  procedure 
computes  also  the  observer  gain  matrix  L,  to  obtain  satisfactory  convergence  of 
the  observer.  The  switching  function  a(x),  given  in  section  4,  has  been  described 
by  piecewise  linear  approximation  with  20  points. 

In  the  sequel  the  performances  achieved  by  the  proposed  cut-off  strategy 
are  compared  with  the  performance  of  a  currently  implemented  open-loop  strat¬ 
egy  and  with  an  instantaneous  uncontrolled  cut-off  operation.  Figure  6  shows 
the  evolution  of  x  components  of  observer  state  during  a  cut-off  operation.  The 
switching  curve  a(x)  =  0,  as  it  is  approximated  in  the  implementation,  is  re¬ 
ported  along  with  Bp.  Next,  the  evolution  of  the  crankshaft  speed,  in  rpm,  is 
reported  next.  Only  a  significant  positive  peak  is  recognizable  in  the  crankshaft 
speed.  Such  behavior  is  also  shown  in  the  next  plot  in  terms  of  vehicle  accelera¬ 
tion.  As  expected,  once  injection  is  set  to  zero  permanently  a(t)  remains  bounded 
within  the  perception  threshold.  Finally,  the  last  plot  shows  the  evolution  of  the 
injection  signal. 

The  experimental  results  fully  confirm  the  theory  of  Section  4.  When  com¬ 
paring  this  strategy  with  the  open  loop  strategy  used  in  the  previous  implemen¬ 
tation,  we  observed  a  much  better  performance  in  terms  of  acceleration  peaks 
and  driving  comfort.  One  could  argue  that  this  improvement,  predicted  by  the 
theory,  has  been  obtained  with  a  more  expensive  implementation.  Actually  our 
strategy  resulted  in  a  much  smaller  memory  occupation  and  in  a  very  reason¬ 
able  CPU  time.  In  fact,  the  code  size  was  70%  and  the  data  size  was  50%  of  the 
ones  needed  by  the  previously  implemented  strategy.  The  CPU  power  needed 
to  run  the  control  algorithm  was  about  1%  of  the  available  computing  power. 
In  addition,  our  strategy,  being  closed  loop,  needed  much  less  tuning  effort  than 
the  open  loop  strategy. 


6  Conclusions  and  future  work 

In  this  paper,  we  presented  a  novel  approach  to  engine  control  in  the  cut-off 
region,  based  on  a  hybrid  model  of  the  torque  generation  and  of  the  power-train 
dynamics  in  a  four-stroke  engine.  A  control  problem  on  this  hybrid  system  is 
defined  and  solved  using  a  sequence  of  approximations.  The  properties  of  the 
control  law  so  obtained  have  been  characterized,  thus  offering  better  confidence 
on  the  quality  of  the  results  with  respect  to  commonly  used  heuristic,  open  loop, 
approaches.  In  addition,  since  the  control  law  is  closed  loop,  expensive  tuning 
processes  can  be  avoided  yielding  a  commercially  appealing  solution.  We  expect 
to  see  the  final  version  of  the  control  laws  in  products  by  the  first  half  of  1998.  In 
addition,  we  expect  to  extend  the  approach  to  the  problem  of  idle  speed  control 
that  shares  several  key  features  with  the  cut-off  control  problem. 
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Fig.  6.  Evolutions  in  the  x  sub-space  of  observer  state  during  cut-off  operations.  From 
left  to  right:  the  proposed  control,  a  currently  implemented  strategy  and  instantaneous 
cut-off.  State  samples  are  linked  by  a  continuous  arc  if  in  the  previous  cycle  injection 
took  place,  dotted  one  if  it  did  not.  Evolution  of  the  corresponding  revolution  speed  (in 
rpm),  vehicle  acceleration  (in  m2  /second,  dotted  line  represents  total  acceleration  a(t) 
and  continuous  line  represents  the  oscillating  component  a(t)),  and  injection  signal. 
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Hybrid  Control  of  Automotive  Powertrain 
Systems:  A  Case  Study  * 

Ali  Beydoun,**  Le  Yi  Wang***,  Jing  Sun  and  Shiva  Sivashankar  t 


1  Introduction 

This  paper  is  concerned  with  the  problem  of  hybrid  control  strategies  for  auto¬ 
motive  powertrain  systems.  Automotive  systems  represent  an  important  class  of 
practical  hybrid  systems  which  are  characterized  by  the  following  features: 

1.  The  systems  are  inherently  hybrid,  i.e.,  hybrid  control  is  not  merely  a  choice. 
This  is  exemplified  by  transmission  gear  positions  (discrete)  and  engine 
throttle  control  (analog). 

2.  System  dynamics  are  highly  nonlinear  and  contain  parametric  errors  and 
structural  uncertainties.  Any  model  that  is  suitable  for  control  system  de¬ 
velopment  will  inevitably  contain  large  modeling  errors. 

In  this  paper,  a  hybrid  control  design  approach  is  used  to  develop  control 
strategies  for  coordination  of  automotive  engine  and  transmission  systems.  The 
main  goal  is  to  improve  system  performance,  fuel  economy,  robustness,  and  other 
performance  specifications.  The  design  procedure  follows  closely  the  main  ideas 
of  the  method  introduced  recently  in  [4],  The  method  employs  performance  in¬ 
dices  in  guiding  both  analog  and  discrete  control  actions  such  that  robust  stabil¬ 
ity  and  performance  of  closed-loop  hybrid  systems  are  maintained,  in  the  pres¬ 
ence  of  modeling  errors,  disturbances,  and  structural  uncertainties.  The  method, 
however,  must  be  modified  significantly  in  this  case  study  to  accommodate  prac¬ 
tical  constraints,  including  actuator  saturations,  gear  shifting  limitations,  and 
real-time  computation  requirements. 


1.1  Automotive  Powertrain  Hybrid  Systems 

Consider  a  typical  automotive  powertrain  system  shown  in  Figure  1.  Depending 
on  engine  mechanical  configurations,  control  signals  may  include  throttle  angle  6 
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(which  is  controlled  either  manually  by  the  driver’s  foot  pedal,  or  electronically 
by  engine  controllers),  spark  advance  6,  exhaust  gas  recirculation  EGR,  air/fuel 
ratio  AFR,  transmission  gear  position  G,  swirl  control  valve  (SCV),  etc.  The 
outputs  of  the  system  may  include  vehicle  speed,  emission  pollutants  (such  as 
HC,  CO,  and  NOx ),  fuel  consumption,  etc.  There  are  certain  discrete  actions 
which  cannot  be  controlled  by  powertrain  control  systems.  For  instance,  the 
action  of  the  driver  to  switch  on  cruise  control  is  an  uncontrollable  discrete 
action.  On  the  other  hand,  gear  positions  and  SCV  actions  are  discrete  control 
variables. 

The  design  objectives  include  fast  and  smooth  acceleration  responses  to  the 
driver’s  pedal  commands;  low  fuel  consumption;  low  levels  of  tailpipe  emissions; 
and  reduction  of  noise  and  vibration;  among  others.  These  performance  measures 
are  to  be  achieved  in  a  wide  range  of  operating  conditions  in  the  presence  of 
discrete  uncertainties  such  as  cruise  control  switching,  and  analog  disturbances 
such  as  load  changes  from  road  conditions. 

Several  important  characteristics  of  powertrain  systems  have  rendered  classi¬ 
cal  control  design  methodologies  ineffective  in  developing  high  efficient  modern 
powertrain  control  systems.  First,  Powertrain  systems  are  inherently  hybrid. 
Gear  selections  and  switching  of  cruise  control  are  clearly  discrete  actions  which 
can  only  assume  a  finite  number  of  values.  In  contrast,  6,  S,  EGR,  AFR  are 
analog  signals.  Discrete  actions  such  as  gear  shifts  will  cause  a  rapid  change  of 
internal  states  (such  as  engine  speed)  and  system  dynamics. 


Driver’s  Command 


Acceleration  Fuel  Emission  NVH 


Fig.  1.  Powertrain  Systems 


Second,  powertrain  hybrid  systems  are  highly  nonlinear,  operate  in  a  wide 
range  of  conditions  and  have  to  tolerate  large  disturbances  and  uncertainties, 
have  both  controllable  and  uncontrollable  discrete  events.  To  achieve  a  total 
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trade-off  among  competing  performance  specifications,  it  becomes  necessary  to 
apply  complicated  control  mechanism  and  search  for  optimal  combinations  of 
control  variables. 

Besides  the  nonlinear  and  hybrid  nature  of  powertrain  systems,  hardware 
limitations  also  impose  certain  constraints  on  control  strategies.  First,  actuators 
such  as  throttle  and  spark  have  significant  saturation  limits,  determined  either  by 
mechanical  design  limits  or  operating  conditions.  Second,  the  control  decisions 
must  be  made  with  limited  on-board  computation  resources.  Third,  frequent 
gear  shifting  and  gear  hunting  should  be  avoided. 

1.2  Generic  Hybrid  Control  Structures 

Automotive  powertrain  systems  are  special  cases  of  the  generic  state-space  hy¬ 
brid  systems  depicted  in  Figure  2. 


Fig.  2.  Hybrid  Systems 


Mathematically,  hybrid  systems  in  state-space  form  are  expressed  as 

x  =  f(x,  u,  d ;  s;  t)  +  A(x,  u,  d\  s;  t), 
s  =  DES(Sd,a)  (1) 

where  x{t)  G  It"  is  the  analog  state,  u(t)  G  It”1  the  analog  control  input,  d  G  Qd 
the  analog  disturbances;  s  G  is  the  discrete  state,  6d  £  fig  is  the  uncontrolled 
discrete  action,  fig  is  called  discrete  uncertainty  set.  a(t)  G  E  is  the  discrete 
control  action,  and  E  is  a  finite  set  of  admissible  discrete  control  actions.  A  G  Q 
represents  model  uncertainties.  Q  is  called  model  uncertainty  set.  f  is  assumed 
to  be  continuous  in  x  and  u.  DES  is  a  discrete  event  automaton. 
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The  discrete  action  a  (i.e.,  Sd  or  a)  takes  the  form  of  a  =  ( s,s\ )  where  s 
is  the  old  discrete  state  and  Si  the  new  one.  Associated  with  a  discrete  action 
at  t,  the  system  nominal  dynamics  will  switch  from  x  =  f(x,  u,  d;  s;  t)  to  x  = 
f(x,u,d;si;t),  and  the  state  x  will  jump  from  x(t-)  to  x(t+). 

For  the  powertrain  systems  in  this  study,  the  discrete-event  system,  which 
includes  the  gear  set  and  its  shift  schedule,  contains  essentially  the  four  gear 
positions  of  gears  1  through  4.  For  the  purpose  of  control  design,  the  powertrain 
systems  will  be  modeled  as  a  second-order  nonlinear  system  without  time-delay. 
This  approximation,  combined  with  engine-to-engine  deviations,  environmental 
changes,  inherent  time-delays,  external  disturbances  and  structural  uncertainty, 
results  in  large  modeling  errors.  As  a  result,  control  strategies  must  not  only 
deliver  satisfactory  performance  under  a  nominal  condition,  but  also  guarantee 
robustness  against  all  such  uncertainties. 

2  Simplified  Powertrain  Models 


d  (road  condition,  temperature,  etc.) 


Fig.  3.  Engine- Transmission  Hybrid  Control  Systems 


For  this  case  study,  we  employ  a  simplified  powertrain  system  model  which 
contains  an  engine,  a  static  transmission  system  and  a  simple  buffer  representing 
a  torque  convertor.  Its  structure  is  depicted,  together  with  a  hybrid  controller, 
in  Figure  3.  The  engine  model  is  based  on  a  1.8L  4  cylinder  port  fuel  injection 
engine.  The  model  was  developed  by  Ken  Butts  from  Ford  Research  Lab  in 
collaboration  with  Mathworks  Inc.  [2],  based  on  a  paper  by  P.R.  Crossley  and 
J.A.  Cook  [1].  This  model  can  be  obtained  free  of  charge  from  Mathworks.  While 
the  model  does  not  quantitatively  represent  a  modern  production  powertrain 
system,  it  is  significantly  representative  in  its  structure  and  essential  features. 
As  a  result,  the  control  strategies  developed  based  on  this  model  can  be  readily 
extended  to  cover  more  realistic  powertrain  systems. 

2.1  Models 

We  assume  that  the  powertrain  system  is  equipped  with  an  electronic  throttle. 
As  a  result,  the  throttle  angle  or  air  charge  becomes  the  primary  analog  control 
variable.  The  air  charge  rate  m  (g/s)  through  the  throttle  body  is  a  function  of 
the  throttle  angle  8  (degree)  and  manifold  pressure  p  (KPa), 

™  =  f(S)g(p), 


where 

f{8)  =  2.821  -  0.052310  +  O.1O29902  -  O.OOO6303 
and 

f  ~t\/PPa  ~P2,P>  0-5pa; 
g(p)  ■=  < 

1 1,  P  <  0.5 pa¬ 

in.  a  normal  operating  condition,  the  atmospheric  pressure  pa  is  approxi¬ 
mately  pa  =  100  KPa. 

The  manifold  dynamics  is  usually  modeled  as  a  first  order  linear  system  which 
relates  air  charges  to  the  changes  in  manifold  pressure  p: 

p  —  k(rh  -  M) 

where  k  =  0.5786  is  a  constant  under  some  idealized  assumptions,  M  (g/s)  is  the 
air  charge  rate  into  the  cylinders.  The  induction  of  air  into  engine  cylinders  can 
be  modeled  as  a  nonlinear  function  of  the  engine  speed  N  (rad/s)  and  manifold 
pressure  p, 

M  =  -0.366  +  8.979 pNr  -  337 Nrp2  +  O.OlpIV2 

where  Nr  is  the  engine  rotational  speed  in  rad/sec,  which  is  related  to  the  engine 
speed  N  in  RPM  by 
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The  engine  speed  is  related  to  t;he  vehicle  speed  by  a  transmission  system 
which  defines  the  ratio  of  engine  speed  to  vehicle  speed  for  each  gear  position. 
We  assume  that  the  transmission  has  4  gear  positions  with  the  corresponding 
ratios 

-=0(*),  *  =  1)2, 3,4 

V 

with  0(1)  =  28.10,0(2)  =  15.69,0(3)  =  10.30,0(4)  =  7.26,  in  (rad/s) /(m/s).  To 
capture  the  damping  effect  of  torque  convertors,  the  transient  values  of  0  when 
gear  shifting  occurs  will  be  an  exponential  function  from  the  old  value  to  the 
new  value,  taking  an  average  of  0.5  second  to  finish  the  transition. 

Combining  the  above  equations,  we  obtain  the  first  dynamic  equation 

p  =  km  —  k(— 0.366  +  8.97 9pNr  —  337Nrp 2  +  0.01  pTV2) 

=  a0+  aip0(i)v  +  a20(i)vp2  +  a3p(0(i))2v2  +  u 

where  ao  =  —k(- 0.366),  a\  =  -kkn(8.979),a2  =  —kkn(-ZZ7) ,  a3  =  —kk2( 0.01), 
and  kn  =  jfi\  and  for  control  design  purposes,  we  define 

u  =  km. 


as  the  control  signal.  If  the  throttle  is  not  saturated,  the  real  control  variable, 
i.e.,  the  throttle  angle,  can  be  determined  by  the  throttle  body  mapping  for  a 
given  u. 

For  a  4-cylinder  4-stroke  engine,  it  is  easy  to  compute  that  the  air  charge  for 
each  individual  cylinder  per  intake  stroke  is 


M'  =  *57- 


Now,  the  brake  torque  Te  ( Nm )  produced  by  the  engine  can  be  experimen¬ 
tally  established  as  a  nonlinear  regressed  function  of  cylinder  air  charge  Mc, 
spark  advance  <5  (degree),  engine  speed  Nr  (rad/s),  exhaust  gas  recirculation 
EGR,  and  air-to-fuel  ratio  AFR.  In  this  model,  EGR  is  fixed  as  a  constant, 
hence  does  not  appear  in  the  model. 


Te  =  2  x  0.7376(— 181.3  +  379.36 Mc  +  21.91  AFR  -  0.85AFR2  +  0.265 

— 0.02852  +  0.027IVr  -  0.0001077V2  +  0.000487V  +  2.55 5MC  -  0.05 S2MC). 


To  maximize  engine  efficiency,  it  is  usually  desirable  that  the  spark  advance 
is  selected  such  that  the  engine  torque  output  is  maximized.  Such  a  value  of  the 
spark  is  called  MBT  (maximum  brake  torque)  spark.  In  this  model,  the  MBT 
spark  can  be  computed  from  the  nominal  model  as  a  function  of  the  air  charge 
and  engine  speed 

0.26  +  0.000487Vr  +  2.55MC 
2(0.0028  +  0.057WC) 
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Furthermore,  to  maximize  the  efficiency  of  the  three-way  catalyst,  the  air- 
to-fuel  ratio  must  be  close  to  the  stoichiometric  value  which  in  our  case  is  14.6. 
The  vehicle  accelaxation  follows  the  Newton’s  law 

.  _  F_ 

V~  W 

where  F  is  the  net  force  on  the  vehicle  for  acceleration,  W  the  vehicle  weight  in 
Kg,  and  g  is  the  gravity  acceleration  in  (m/s2).  For  the  (hypothetical)  vehicle 
we  are  considering,  g  =  9.8,  W  =  1134  Kg  (or  2500  lbs).  F  is  related  to  engine 
power  and  load  by 

F=^zlk 

v 

where  Pe  and  Pl  are  engine  brake  power  and  load  (Watts),  respectively.  The 
engine  brake  power  can  be  computed  as  Pe  =  ^ NTe ,  where  N  is  the  engien 
speed  in  RPM  and  Te  is  the  engine  brake  torque  in  Nm. 

A  typical  expression  for  the  load  is  Pl  —  a  +  bv2,  where  the  values  of  a 
and  b  depend  on  vehicles  and  road  conditions.  An  example  of  these  values  are 
a  =  2.011  x  10-3  and  b  =  1.5  x  10-6.  For  hilly  roads,  a  and  b  become  bigger. 

In  summary,  the  system  we  are  considering  can  be  modeled  as  a  second-order 
nonlinear  system, 


v  =  fv(jp,v,i) 

P=  fp(p,v,i)  +  u 


where 


fv(p,v,i ) 


1  2nTeN  —  (a  +  bv2) 
W  v 


fp(p,  v,  i)  =  a0  +  aiknp/3(i)v  +  a2/3(i)vp2  +  a3p/32(i)v2. 


For  design  purposes,  the  transport  delay  has  been  omitted.  The  robust  design 
we  shall  employ  can  be  shown  to  guarantee  robustness  against  modeling  errors 
and  delays.  These  will  be  demonstrated  in  our  simulation. 


2.2  Control  Configurations 

The  hybrid  control  system  in  Figure  3  will  consist  of: 

1.  A  robust  analog  controller  which  feeds  back  from  the  analog  states  (vehicle 
speed  and  manifold  pressure)  and  discrete  state  (gear  position)  to  determine 
the  throttle  position  so  that  tracking  control  can  be  achieved  in  the  presence 
of  modeling  errors  and  external  disturbances. 

2.  A  discrete  event  model  which,  other  than  initial  states,  has  four  states  rep¬ 
resenting  gear  positions.  Some  constraints  will  disable  certain  transitions 
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between  the  states.  Most  obviously,  the  upshift  gear  skip  from  1  to  4  is  not 
allowed.  Other  gear  skips  are  allowed,  but  usually  not  desirable. 

3.  A  manager  which  decides  gear  shifting  actions.  At  each  decision  time,  the 
manager  will  act  on  a  constrained  set  of  gear  shifting  events  to  decide  whether 
a  gear  shift  should  be  commanded.  The  constrained  set  is  determined  by 
the  following  critria:  (1)  Discrete  constraints:  This  comes  from  the  discrete 
event  model,  which  eliminates  several  gear  shifting  actions  such  as  1-4,  due  to 
physical  constraints.  (2)  Hybrid  constraints:  There  are  certain  lower  limits  on 
engine  speeds,  called  lugging  limits,  for  gear  shift  decisions  to  avoid  excessive 
harshness  and  vibration.  These  are  hybrid  limits  since  they  depend  on  both 
analog  output  (vehicle  speed)  v  and  discrete  state  (gear)  s. 

3  Hybrid  Control  of  Powertrain  Automotive  Systems 

The  current  production  strategy  for  powertrain  control  employs  static  mapping 
tables  to  schedule  throttle  and  spark,  and  throttle-speed-gear  operating  points 
for  gear  shifting.  For  example,  gear  shifting  from  the  second  gear  to  the  third  gear 
will  occur  if  the  vehicle  speed  and  throttle  position  move  across  a  pre-calibrated 
line  on  the  speed-throttle  space. 

The  hybrid  gear  strategy  developed  in  this  paper  employs  feedback  lineariza¬ 
tion  and  robust  H°°  design  to  derive  an  analog  strategy  for  the  throttle  control, 
and  a  performance  index  to  guide  gear  switching  decisions.  Details  will  be  pro¬ 
vided  in  the  subsequent  subsections.  Generally  speaking,  this  is  the  same  idea 
as  the  performance  guided  robust  hybrid  control  strategy  introduced  in  [4].  Un¬ 
der  some  theoretical  conditions,  the  generic  strategy  of  [4]  is  shown  to  maintain 
robust  stability  and  robust  performance. 

In  applying  this  generic  strategy  to  this  case  study,  we  have  encountered 
some  severe  practical  constraints  which  lead  to  several  important  modifications. 
Due  to  such  modifications,  the  clean  theoretical  results  of  [4]  do  not  hold  rigor¬ 
ously  in  this  case  study.  However,  our  simulation  results  still  demonstrate  similar 
stability,  performance  improvements,  and  robustness,  to  those  claimed  in  [4]. 


3.1  Constraints  and  Strategy  Modifications 

Two-Time-Scale  Strategy  It  is  noted  that  the  goal  of  analog  control  differs 
from  that  of  discrete  actions.  To  react  promptly  to  the  adverse  effects  of  random 
disturbances  on  the  system,  the  analog  control  must  perform  quickly.  On  the 
other  hand,  due  to  transient  behavior  of  gear  shifting  and  the  desire  to  avoid 
gear  hunting,  discrete  actions  should  have  limited  speed.  As  a  result,  we  employ 
a  two-time-scale  method  in  this  case  study.  In  this  method,  one  defines  two  time 
scales,  T  and  T<j,  where  T  is  the  sampling  interval  for  analog  control  and  Ta  is 
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the  discrete  decision  interval.  T  is  much  smaller  than  Td-  Usually,  Td  =  kdT  for 
some  integer,  say,  kd  =  10. 

As  a  result,  gear  shifting  decisions  will  only  be  made  at  kTd  for  k  =  0, 1, 2, _ 

In  the  time  window  [kTd,  ( k  +  1)TJ,  an  analog  robust  controller  is  employed  to 
robustly  stabilize  the  system,  reduce  the  deviation  of  the  vehicle  speed  from 
the  driver’s  command  speed,  and  achieve  satisfactory  fuel  consumption.  Analog 
control  is  then  discretized  with  sampling  interval  T. 


Real-Time  Computation  and  Short  Time  Prediction  Powertrain  control 
strategies  axe  to  be  implemented  on-line.  Due  to  the  limited  on-board  computa¬ 
tional  resources,  they  must  be  computationally  very  efficient.  The  performance 
guided  switching  control  of  [4]  computes  first  the  expected  worst-case  future 
performance  for  each  discrete  state,  and  then  selectes  the  one  offering  the  best 
future  robust  performance.  While  there  are  cases  where  such  future  robust  per¬ 
formances  can  be  explicitly  computed  [4]  [8]  [9],  in  automotive  powertrain  ap¬ 
plications  such  computation  is  not  only  overly  time  consuming  but  impossible 
since  the  future  commands  from  the  driver  are  not  available.  A  tradeoff,  which 
is  used  in  this  study,  is  to  replace  the  future  performance  index  by  its  short 
horizon  approximation.  In  this  case,  the  performance  measure  is  evaluated  ap¬ 
proximately  only  up  to  a  short  step  into  the  future.  For  our  simulation,  the  step 
is  2Td,  where  Td  is  the  interval  for  discrete  decisions. 


Actuator  Saturation  The  throttle  angle  is  saturated  near  90  degrees.  Also, 
the  control  authority  of  the  throttle  angle  on  the  air  charge  depends  on  the 
manifold  pressure.  When  the  manifold  pressure  is  close  to  atmospheric  pressure 
100  (KPa)  that  corresponds  to  the  wide-open  throttle  operation,  the  throttle 
will  lose  control  authority.  In  both  cases,  only  the  gear  shifting  remains  a  control 
variable.  We  have  modified  the  hybrid  control  strategy  such  that  it  is  reduced 
to  discrete  feedback  only  when  either  the  throttle  is  WOT  (wide  open  throttle) 
or  the  manifold  pressure  is  close  to  the  atmospheric  pressure. 


Unquantified  Modeling  Errors  Although  it  is  well  understood  that  second- 
order  models  of  engine  systems  are  subject  to  significant  modeling  errors,  due 
to  data  fitting  errors,  limited  test  data,  engine-to-engine  deviations  and  varia¬ 
tions  in  operating  conditions,  the  modeling  errors  cannot  be  well  quantified.  As 
a  result,  computation  of  the  worst-case  performance  against  modeling  errors  be¬ 
comes  difficult.  On  the  other  hand,  a  selection  of  the  switching  penalty  matrix 
defines  the  level  of  robustness  against  modeling  errors.  In  this  case  study,  we 
select  a  switching  penalty  matrix  to  balance  robustness,  performance,  and  gear 
shifting  frequency.  Then  simulation  is  performed  to  evaluate  the  design. 
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3.2  Analog  Control  Design 

During  the  time  interval  between  discrete  decision  instances,  discrete  states 
(gear)  are  unchanged  and  the  analog  control  becomes  the  sole  control  author¬ 
ity.  Apparently,  in  this  case,  the  analog  control  must  deliver  the  usual  robust 
performance  in  the  presence  of  modeling  errors,  time  delays  and  disturbances. 

The  analog  control  employed  here  is  a  nonlinear  robust  H°°  controller  which 
is  constructed  according  to  the  design  method  developed  in  [5].  The  design 
method  involves  the  following  steps. 


1.  Feedback  Linearization 

Suppose  the  desired  vehicle  speed  profile  is  given  by  Vd{t).  Note  that  for 
vehicles  equipped  with  electronic  throttles,  the  profile  Vd  is  interpreted  as 
the  driver’s  pedal  positions.  In  the  case  of  the  manual  throttle  operated  by 
the  driver,  the  profile  Vd(t)  is  the  desired  profile  perceived  by  the  driver. 
The  second-order  powertrain  nominal  model  is  feedback  linearizable  and  all 
the  functions  used  in  feedback  linearization  can  be  explicitly  derived. 

Define  z\  =  v  -  Vd,  z%  =  fv(j>,  v,  i).  Then,  we  have  z\  —  z2  —  Vd  and 


dfv  .  ,  dfy  . 

=  -»  +  §f<A&w)  +  “> 

:=  w. 


As  a  result,  the  nominal  nonlinear  system  is  transformed  by  a  state  mapping 
(zi,  Z2)  =  T(p,  v,  i )  and  control  mapping  u  =  <fr(p,  v,  i,  w)  to  a  linear  system. 
It  is  noted,  however,  that  modeling  errors  will  be  mapped  into  the  new 
system  as  nonlinear  uncertainties. 

2.  Design  of  the  State  Feedback 

Now,  a  linear  state  feedback  K  can  be  constructed  by  employing  the  Ric- 
cati  inequality  approach  developed  in  [5].  Numerically,  this  can  be  easily 
done  by  using  Matlab  functions.  The  system  model  in  this  case  is  a  linear 
nominal  part  with  nonlinear  uncertainties.  The  modeling  errors  are  given  by 
|| A(x,  u)||  <  £i||x||  +e2|MI  where  £1  and  £2  are  error  bounds.  The  linearized 
nominal  system  is  simply  z  =  Az  +  B\W  +  B2 dw  and  y  =  Cz,  where 


A  = 


0  1 
00 


Bx  = 


Bo  = 


c=[io). 


Note  that  the  term  dw  includes  id  as  well  as  other  possible  disturbances. 
The  performance  criterion  is  the  H°°- type  performance 


d^Wddwdt, 


Vi. 
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It  was  shown  in  [5]  that  a  sufficient  condition  for  the  performance  criterion 
to  be  satisfied  is  that  the  Riccati  Equation 

AtP  +  PA-  P[B1(Ww  +  -  \b2WJ1B2  -  (el£fl  +  e2eb)}P 

Sb 

+  [CTWyC  +  -I]  =  0 

£a 

has  a  positive  definite  solution  P,  where  ea  and  eb  are  positive  constants 
selected  by  the  designer.  Finally  the  state  feedback  is  given  by 

K  =  -(W„  +  -)"ipfP. 

Sb 

3.  Control  Signal  Construction 

The  overall  analog  control  is  constructed  as  follows:  At  time  t,  v(t)  and  p(t) 
are  measured.  Then  zi(t)  =  v(t)  —  Vd(t)  and  z2(t)  —  fv(p(t),v(t),i(t))  are 
computed.  After  applying  the  linear  state  feedback  w(t)  =  K[zi(t),z2(t)]T, 
we  obtain  the  original  control  from 

u(t)  =  gjf*  22  ~  fP(p(t),v(t),i(t)). 

dp 

The  design  procedure  has  been  applied  to  automotive  engine  control  problems 
and  demonstrates  robustness  against  significant  modeling  errors,  disturbances 
and  engine  delays  [6]. 

3.3  Priority  Functions  and  Switching  Decisions 

In  this  powertrain  control  problem,  gear  shifting  is  the  discrete  decision  which 
must  be  made  by  a  manager.  Due  to  the  requirements  of  on-line  implementation, 
the  optimization  problem  must  be  solved  in  a  short  period  of  time  and  solutions 
must  be  updated  frequently.  This  forbids  optimization  over  a  large  window  of 
time  interval.  The  decision-making  process  is  based  on  a  short-term  performance 
index  which  contains  three  terms 

J  =  WaJa  +  WfJf  +  WSJS 

where  Ja  is  a  term  on  tracking  performance,  Jf  is  a  measure  of  fuel  consumption, 
and  J8  reflects  switching  penalties.  Wa,Wf ,  Ws  are  weightings  to  reflect  tradeoffs 
among  these  competing  performance  objectives.  Essentially,  Ja  =  ft+2Td  \  v(t)  - 
Vd(r)\dr,  Jf  =  ft~2Td  °i4^ dr,  and  Js  is  given  by  a  4  x  4  matrix  whose  (i,j)- th 
element  is  the  switching  penalty  for  gear  shifting  from  position  i  to  position  j. 
This  decision  is  made  at  kTd,  k  =  0, 1, 2, _ 
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4  Simulation  Results 

Substantial  simulation  has  been  performed  to  evaluate  the  hybrid  control  strate¬ 
gies,  under  various  conditions.  Selections  of  parameters  for  simulation  are  first 
provided. 

Sampling  interval  for  analog  control  T  =  0.05  second.  Discrete  decision  in¬ 
terval  Td  =  0.5  second.  Weighting  values  for  gear  shifting:  Wa  —  400,  Wf  =  400, 
Ws  =  5.  Gear  shifting  penalty  is  defined  by  a  matrix  SP  whose  (i,j)-th  compo¬ 
nent  is  the  switching  penalty  for  shifting  from  gear  i  to  gear  j. 

0  1  50  10000" 

q  10  0  5  100 

-  100  10  0  10 

10000  10  5  0 

Note  that  the  large  value  10, 000  entered  for  shifting  from  1  to  4  or  vise  versa 
essentially  excludes  these  shifts.  If  such  shifts  are  physically  forbidden,  one  can 
simply  enter  a  much  larger  value  to  prevent  such  discrete  decisions.  Vehicle 
loads  from  road  conditions  are  given  by  Pl  —  a  +  bv1 2 3 * *,  where  a  =  2. Oil-3,  and 
b  =  1.5  x  10~6  for  flat  roads  and  b  =  2.65  x  10“6  for  hilly  roads.  External 
disturbances  and  modeling  errors  are  added  to  the  model  in  simulation. 

1.  Robustness  and  performance  of  switching  control.  The  main  purpose  of  this 
test  is  to  evaluate  the  robustness,  stability  and  performance  of  analog  con¬ 
trollers  for  each  fixed  gear  position,  in  the  presence  of  modeling  errors,  time 
delays,  disturbances.  In  Figures  5,  6,  and  7,  the  robust  analog  controllers,  to¬ 
gether  with  the  hybrid  switching  decision  on  gear  selections,  demonstrate  ro¬ 
bustness,  stability  and  performance.  For  comparison  purposes,  we  combined 
the  same  robust  analog  controllers  with  a  typical  production  gear-shifting 
strategy.  Similar  robust  performances  are  observed  in  Figure  4. 

2.  Different  road  and  acceleration  conditions. 

Due  to  system  nonlinearity,  powertrain  system  performance  varies  signifi¬ 
cantly  with  vehicle  loads  and  acceleration  profiles.  For  instance,  vehicle  loads 
become  much  higher  on  a  hilly  road  than  on  a  fiat  road.  In  this  study,  we 
tested  system  performance  under  various  road  conditions  including  flat  sur¬ 
faces  and  hilly  roads,  as  well  as  a  combination  of  both.  We  also  tested  system 
performance  under  various  acceleration  commands,  including  fast  and  slow 
driving  profiles.  Figures  5  ,  6,  and  7  show  that  the  system  performes  very 
well  under  these  various  conditions  using  a  robust  controller  with  a  hybrid 
gear  strategy. 

3.  Comparison  to  typical  production  gear  shifting  strategies. 

While  it  is  quite  obvious  that  hybrid  control  methodologies  offer  clearer 

understanding  of  design  tradeoff  and  more  systemetic  development  tools, 

comparison  is  necessary  to  evaluate  if  the  hybrid  control  actually  offers  any 
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advantages  over  the  traditional  production  gear  strategies  in  their  perfor¬ 
mances.  For  this  purpose,  a  typical  and  current  production  gear  shifting 
strategy  is  employed,  whose  performance  is  depicted  in  Figure  4,  to  compare 
to  the  performance  of  the  hybrid  gear  strategy  in  Figure  5.  With  a  reasonable 
selection  of  weighting  values,  the  hybrid  strategy  outperfoms  the  production 
gear  strategy  in  our  simulation. 

4.  Manual  versus  electronic  robust  throttle  controller. 

To  compare  the  electronic  robust  controller  with  a  driver,  we  model  a  driver’s 
manoeuvre  of  the  foot-pedal  in  response  to  the  vehicle  speed  by  a  PI  con¬ 
troller  where  aggressive  drivers  might  be  modelled  by  using  larger  values  Kp 
and  Ki  in  the  PI  controller.  For  this  simulation,  Kp  =  2  and  Ki  =  0.05. 
Performance  of  this  PI  controller  is  illustrated  in  Figures  8  and  9.  While 
test  results  show  that  the  robust  controller  (Figures  4  and  5)  offers  better 
overall  performance  than  the  PI  controller  in  tracking  the  desired  vehicle 
speed,  it  should  be  cautioned  that  the  comparison  is  limited  by  our  model¬ 
ing  of  the  driver’s  behavior  which  might  be  much  more  complicated  than  a 
PI  controller. 

5.  Effects  of  weighting  functions  and  switching  penalty  on  system  robustness 
and  performance. 

We  used  simulation  to  gain  an  understanding  on  roles  played  by  the  weight¬ 
ing  matrices  and  potential  guidelines  in  selecting  such  matrices.  The  follow¬ 
ing  observations,  which  are  to  be  expected,  were  made  regarding  the  effects 
of  the  following  parameters:  As  Wa  increases,  the  tracking  of  speed  is  better, 
but  fuel  consumption  becomes  higher,  as  shown  in  Figures  5  and  10.  On 
the  other  hand,  as  Wj  increases,  one  observes  an  improvement  on  fuel  con¬ 
sumption,  at  the  expense  of  worse  performance  in  speed  tracking  as  shown 
in  Figures  5  and  11.  Finally,  as  Ws  increases,  infrequent  gear  shifting  occurs 
and  therefore  causes  higher  fuel  consumption  as  shown  in  Figure  12. 
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Fig.  4.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  production  gear  strategy  under 
flat  road  condition. 


Fig.  5.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  hybrid  gear  strategy  under  flat 
road  condition. 
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Fig.  6.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  hybrid  gear  strategy  under  hilly 
road  condition. 
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Fig.  8.  Powertrain  systems  with  a 
manual  throttle  and  production  gear 
strategy  under  flat  road  condition. 
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Fig.  7.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  hybrid  gear  strategy  under  com¬ 
bined  road  conditions. 
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Fig.  9.  Powertrain  systems  with  a 
manual  throttle  and  hybrid  gear 
strategy  under  flat  road  condition. 
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Fig.  10.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  hybrid  gear  strategy  under  flat 
road  condition.  The  weighting  Wa  is 
increased  to  700. 
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Fig.  11.  Powertrain  systems  con¬ 
trolled  by  robust  analog  controller 
and  hybrid  gear  strategy  under  flat 
road  condition.  The  weighting  Wf  is 
increased  to  800. 
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Fig.  12.  Powertrain  systems  controlled  by  robust  analog  controller  and  hybrid  gear 
strategy  under  flat  road  condition.  The  weighting  Ws  is  increased  to  25. 
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1  Introduction 

Concurrent  systems  can  be  usually  specified  as  systems  of  communicating  pro¬ 
cesses  obtained  by  composing  sequential  processes  by  means  of  binary  parallel 
composition  operators.  The  latter  express  process  interaction  in  terms  of  action 
composition.  Their  semantics  is  usually  defined  by  two  types  of  rules. 

—  Synchronization  rules  that  specify  how  an  action  of  the  product  process  is 
defined  as  the  result  of  the  (simultaneous)  occurrence  of  two  actions  in  two 
component  processes. 

-  Interleaving  rules,  that  specify  how  an  action  of  a  component  process  is  an 
action  of  the  product  process.  These  rules  allow  some  component  processes 
to  be  idle  while  the  others  progress. 

Combining  synchronization  and  interleaving  rules  is  essential  for  the  spec¬ 
ification  of  systems  as  process  coordination  requires  both  synchronization  and 
waiting.  However,  their  adequate  combination  must  satisfy  two  conflicting  re¬ 
quirements  : 

Deadlock- freedom  :  Deadlocks  may  appear  in  the  product  process  as  a  re¬ 
sult  of  enforcing  synchronization,  for  instance,  when  two  processes  are  at  states 
from  which  only  non  matching  synchronization  actions  can  be  performed.  Such 
deadlocks  can  be  avoided  by  using  “escape”  transitions  generated  by  applica¬ 
tion  of  interleaving  rules.  However,  the  presence  of  both  synchronization  and 
interleaving  actions  may  imply  non  maximal  progress. 

Maximal  progress  :  When  synchronization  of  two  actions  is  possible,  inter¬ 
leaving  rules,  used  precisely  to  avoid  deadlocks,  may  be  applicable.  Maximal 
progress  means  that  synchronization  is  preferred  to  interleaving  when  both  are 
possible.  This  is  sometimes  achieved  by  using  restriction  or  hiding  operators  that 
prune  out  interleaving  actions. 

The  above  problems  are  amplified  for  timed  or  hybrid  systems  where  time 
progress  is  synchronous  and  waiting  times  are  bounded.  This  can  be  easily  ob¬ 
served  when  hybrid  specifications  are  obtained  by  adding  timing  constraints  to 
untimed  communicating  systems  specifications,  as  it  has  been  pointed  out  in 
[SY96]. 

In  [SY96,BS97b]  it  is  claimed  that  specifying  time  progress  conditions  inde¬ 
pendently  from  discrete  transitions  may  be  source  of  inconsistencies  in  specifica¬ 
tions.  We  propose  a  model  where  time  progress  constraints  are  associated  with 
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actions  and  thus  time  progress  is  directly  related  with  the  ability  of  a  system  to 
perform  actions.  This  model  satisfies  the  property  of  time  reactivity  in  the  sense 
that  if  no  action  is  enabled  at  a  state,  time  can  progress. 

Following  the  process  algebra  approach,  we  consider  discrete  (untimed)  sys¬ 
tems  represented  as  terms  generated  from  a  set  of  abstract  actions  by  using 
operators  such  as  prefixing,  non  deterministic  choice  and  parallel  composition. 
We  extend  the  semantics  of  these  operators  to  hybrid  actions. 

For  a  given  abstract  action  a,  a  hybrid  action  extension  of  a,  is  defined  as  a 
triple  ( ga ,  da,  fa)  where  ga  and  da  are  unary  predicates  and  fa  is  a  total  function 
on  a  continuous  set  of  states.  The  predicate  ga  is  a  guard  characterizing  the  states 
from  which  a  is  enabled  while  da  is  a  deadline  satisfied  by  all  the  enabling  states 
at  which  the  action  a  becomes  urgent  (time  progress  is  stopped).  The  function 
fa  represents  the  effect  of  the  action  when  it  is  executed. 

As  usually,  for  a  given  n-ary  operator  op,  the  hybrid  actions  of  the  term 
op(ti ,tn)  are  obtained  by  composing  the  hybrid  actions  of  the  arguments  tj. 
We  show  that  the  semantics  of  operators  on  abstract  actions  can  be  extended  to 
hybrid  actions  in  different  manners.  The  extensions  have  the  same  semantics  for 
discrete  transitions  but  may  differ  in  urgency  (ability  to  perform  actions  within 
a  given  delay). 

We  assume  that  parallel  composition  of  two  discrete  systems  can  be  expressed 
as  the  non-deterministic  choice  of  terms  starting  with  interleaving  or  synchro¬ 
nization  actions  (by  means  of  some  expansion  theorem  [BK85]).  The  expansion 
theorem  is  extended  to  hybrid  actions  in  the  following  manner  : 

-  To  guarantee  maximal  progress,  non-deterministic  choice  is  replaced  by  pri¬ 
ority  choice  that  gives  higher  priority  to  synchronization  actions  over  inter¬ 
leaving  actions. 

—  Synchronization  operators  between  abstract  actions  are  extended  to  hybrid 
actions.  The  guard  and  the  deadline  resulting  from  the  synchronization  of 
two  hybrid  actions  depend  on  the  guards  and  deadlines  of  the  synchronizing 
hybrid  actions.  We  show  that  for  hybrid  actions  different  synchronization 
operations  of  practical  interest  can  be  defined  by  taking  as  synchronization 
guards  and  deadlines  modal  formulas.  In  particular,  we  identify  three  im¬ 
portant  synchronization  modes  :  AND-synchronization  where  the  guards  of 
the  synchronization  action  is  the  conjunction  of  the  guards  of  the  contribut¬ 
ing  actions.  MAX-synchronization  used  to  model  synchronization  with  wait¬ 
ing  and  for  which  the  synchronization  action  occurs  as  soon  as  all  of  the 
contributing  actions  have  been  completed.  MIN-synchronization  where  the 
synchronization  action  occurs  as  soon  as  one  of  the  contributing  actions  is 
completed. 

The  paper  is  organized  as  follows.  In  section  2,  we  define  hybrid  extensions  of 
discrete  systems  as  a  labeling  homomorphism  that  extends  prefixing  and  choice 
operators.  Section  3  presents  a  framework  for  parallel  composition  of  hybrid 
systems  as  an  extension  of  parallel  composition  of  untimed  systems.  For  the 
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three  basic  synchronization  modes  parallel  composition  rules  are  proposed  that 
guarantee  both  local  deadlock-freedom  and  maximal  progress.  We  conclude  by 
indicating  possible  application  directions. 

2  Hybrid  extensions  of  discrete  systems 

We  consider  a  simple  (discrete)  algebra  of  terms  Sa  with  prefixing  and  non- 
deterministic  choice.  We  show  that  a  hybrid  extension  of  Sa  can  be  defined 
as  a  labeling  of  the  underlying  transition  system  associating  with  a  state  s,  an 
evolution  function  os  and  with  any  action  a  a  hybrid  action  h(a). 


2.1  Discrete  systems 

Consider  the  language  of  terms  Sa  defined  by  the  grammar 

s  ::=  Nil  |  a.s  \  s  +  s 

where  Nil  is  a  constant  and  a  £  A,  a  set  of  atomic  actions. 

With  a  term  of  Sa  we  associate  transition  relations  subsets  of  Sa  x  A  x  Sa 
defined  by 

a 

a.s  — >  s 

Si  A  si'  implies  si  +  S2  A  Si'  and  s2  +  si  ->  s/ 

We  consider  that  +  is  an  associative  commutative  operator  with  Nil  as  zero 
element.  Any  term  s  is  congruent  (strongly  bisimilar)  to  a  term  of  the  form  : 

s  =  ^  cii-Si  (taken  to  be  Nil  if  I  —  0) 

i€/ 

2.2  Hybrid  extension  of  Sa 

A  hybrid  extension  of  Sa  is  defined  as  a  pair  (V,  h)  where 

—  V  is  a  continuous  state  space  isomorphic  to  R"  for  some  n  >  0 

-  h  is  a  labeling  of  Sa  such  that  : 

•  h(s )  =  (s,  >s),  where  >s  :  V  x  R+  -»•  V  is  an.  evolution  function.  We  write 
v>st  for  >s(u,t).  We  require  that  >s  is  additive,  i.e., 

Vw  €  V  Vfi,f2  €  R+.  v  >s  (fi  +  t2)  =  ( v  >s  ti)  >s  t2- 

•  h(a)  =  (a,  g,  d,  f)  where  g  and  d  are  two  unary  predicates  on  V  and 
/  :  V  ->  V.  We  suppose  that  d  =»  g.  We  call  g,d,f  the  guard,  the 
deadline  and  the  jump  respectively  of  the  hybrid  action  h(a)  associated 
with  a. 

The  hybrid  extension  of  the  term  s  =  ai-si  *s  represented  by  the  term 
h{s)  =  h(ai).h(si). 

We  define  hereafter  the  semantics  of  h(s)  in  two  steps.  First,  we  associate 
transition  relations  with  hybrid  actions  h(a,)  on  the  continuous  state  space  V. 
Then,  we  define  the  transition  relation  of  the  hybrid  extension. 
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Definition  1.  Let  b  =  ( a,g,d,f )  be  a  hybrid  action  associated  with  a  in  some 
transition  s  4  s'  of  Sa-  We  define  transition  relations  4  for  t  £  R+  and  4  for 
a  £  A  subsets  of  V  x  V  : 

—  b  :  v  A  v  t  if  Vf'  <  t.  -i d(v  >s  t1) 

—  b  :  v  4  f(v)  if  g(v) 

The  two  relations  describe  the  behavior  of  b  from  a  continuous  state  v.  b  : 
v  -t  v  >s  t  means  that  the  execution  of  b  can  be  delayed  for  t  time  units  and 
b  :  v  A  f(v)  represents  the  effect  of  a  jump. 

Definition  2. 

The  semantics  of  h(s)  —  J2i  bi.h(si)  where  bi  =  (a*,  gi,di,  fi)  and  h(s)  =  (s,  >s) 
is  defined  as  a  family  of  labeled  transitions,  subsets  of  ( Sa  x  V)  x  (A  U  R+)  x 
(Sa  x  V)  by  the  rules 

—  If  bi  :  v  A  Vi  then  ( s,v )  A  ( Si,Vi ) 

—  If  Vi  €  I.  bi  :  v  A  v  >s  t  then  (s,  v )  A  ( s,v  >s  t). 

Remark  3. 

Notice  that  the  projection  of  the  transition  relations  on  discrete  state  compo¬ 
nents  agrees  with  the  transition  relations  of  the  associated  discrete  system.  This 
justifies  the  use  of  the  term  “extension” . 

Time  can  advance  in  h{s)  for  s  —  m.Si  only  if  all  the  hybrid  actions 
h(ai)  agree  to  let  time  advance.  This  rule  determines  a  time  progress  condition 
associated  with  s  similar  to  the  “invariants”  in  [ACH+95]  and  “time  progress 
conditions”  in  [KMP96].  Associating  time  progress  with  actions  is  an  important 
feature  of  the  presented  model  as  it  will  be  shown  throughout  the  paper.  For  a 
given  hybrid  action,  its  guard  characterizes  the  states  from  which  the  action  is 
possible  while  its  deadline  characterizes  the  subset  of  the  states  where  the  action 
is  enforced  by  stopping  time  progress. 

The  condition  d  =>  g  guarantees  that  if  no  action  is  enabled  from  a  state 
then  time  can  progress.  In  fact,  time  progress  can  stop  only  at  states  where  a 
guard  is  enabled.  Using  terminology  from  synchronous  language  [JM94]  we  call 
this  property  time  reactivity. 

The  relative  position  of  d  with  respect  to  the  corresponding  g  determines  the 
urgency  of  an  action.  For  a  given  g,  the  corresponding  d  may  take  two  extreme 
values:  d  =  g  which  means  that  the  action  is  eager  and  d  =  false  which  means 
that  the  action  is  lazy.  A  particularly  interesting  case  is  the  one  of  delayable 
action  where  d  is  the  falling  edge  of  g  (cannot  be  disabled  without  enforcing  its 
execution)  (figure  1). 


2.3  Choice  operators 

Let  B  =  {bi}uzi  be  a  set  of  actions  bl  =  (ai,gi,di,fi)  labeling  transitions  issued 
from  a  term  with  evolution  function  >.  We  use  the  modal  operators  <0>< p 
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d  =  g 


_=>.  eager 


d  =  g  i 


delayable 


d  =  false 


lazy 


Fig.  1.  using  deadlines  to  specify  urgency 


(eventually  p  within  k)  and  O  <*,  p  (once  p  since  k)  where  p  is  a  unary  predicate 
on  V,  and  k  €  R+  U  {oo}. 

0<* .  p  ( v )  if  3 t  6  R+  0  <t<k.  p(v  >  t) 

O  <*  p  ( v )  if  3t  €  R+  0  <  t  <  k.  3w'  £  V.  v  —  v'  >  t  A  p(v') 

As  usual,  we  write  Op  and  O  p  for  0<oo  p  and  O  <oo  p  respectively,  and  Up 
and  Q  p  for  -i 0->p  and  -><S>  ->p  respectively. 

We  have  already  defined  a  non- deterministic  choice  operator  bi-Si  which 
combines  the  semantics  of  hybrid  actions  in  a  very  simple  manner.  The  discrete 
transition  relation  is  the  union  of  the  discrete  transition  relations  of  the  hy¬ 
brid  actions  bi  and  the  timed  transition  relation  is  the  intersection  of  the  timed 
transition  relations  of  the  bfs.  This  semantics  corresponds  to  a  maximally  ur¬ 
gent  behavior  in  the  sense  that  an  action  may  occur  when  Vj<7»  holds  and  time 
progress  stops  as  soon  as  Vjdj  holds.  In  practice,  it  is  often  useful  to  define 
other  choice  operators  with  less  prompt  semantics  ([BS97a]).  We  define  a  choice 
operator  taking  into  account  priorities  between  actions.  Instead  of  considering 
non-deterministic  choice  between  actions  bi  =  (m,  gi,  di,  fi),  for  i  =  1,2,  one  can 
consider  that,  for  instance,  62  has  higher  priority  than  61  which  leads  to  restrict¬ 
ing  the  guard  and  the  deadline  of  61  to  gf  and  df  respectively.  One  may  take 
Qi  =  9\  A 132  and  d\  =  d\  A  gf  to  resolve  conflicts  between  b-L  and  62  in  favor  of 
b2.  This  is  a  well-known  manner  to  give  priority  to  actions  in  untimed  systems. 
However,  for  timed  systems  priority  can  concern  not  only  instantaneous  conflict 
resolution  but  also  take  into  account  possibility  of  waiting.  For  instance,  if  we 
take  gf  =  g\  A  U->g2  and  d\  =  d\  A  gf,  we  restrict  the  enabling  states  of  b\  to 
only  those  states  from  which  b2  will  never  be  enabled. 

Definition  4.  priority  order 

Consider  the  relation  <C  Ax  (NU{oo})  xA.  We  write  a\  <*,  a2  for  (01,  k,  a2 )  €< 
and  suppose  that 
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<k  is  a  partial  order  relation  for  all  k  €  N  U  {00} 

Oi  <k  0,2  =>  V/c'  <  A;.  Oi  <*/  02 
Ol  <k  0,2  A  02  <;  03  =>  Oi  <*+/  03 

Property  :  The  relation  oi  -C  02  =  3A;  Oi  <*,  02  is  an  order  relation. 


Definition  5.  priority  choice  operator 

Given  <,  a  priority  order  and  a  set  of  term,  we  define  the  priority 

choice  operator  such  that  : 

'{bj.sj}i£i  =  y^  b'j.sj 
iei 


where  if  6,  =  (o1)5l,  dt,  /*)  then  b'i  =  (a*,  g\,  d! u  /,)  with  g\  =  giA/\a.<ia.  ~>0 <*&• 
and  d'i=  di  A  g 

Notice  that  if  a,  </.  aj  then  in  ^  6'j.Sj  “oj  has  higher  priority  than  ax  in  the 
interval  [0,  A;]”  that  is,  a*  is  disabled  if  Oj  will  be  enabled  within  k  time  units. 


0123456789 

Fig.  2.  Different  priorities  for  ai  over  a\ 


Consider  the  guards  gi,  92  of  the  actions  01,02-  Figure  2  gives  the  guards 
g'i  obtained  when  gx  is  restricted  by  considering  the  priority  orders  oi  <0  02, 
Ol  <1  02,  0 1  <00  O 2. 


55 


Proposition  6.  The  priority  choice  operators  defined  above  satisfy  the  following 
properties. 

1.  Ogi  =>  0{g'i  V  V0i<a,  9j) 

O  V igj  9i  =  ^  V i£i  91  i 

The  first  property  means  that  if  action  a*  can  occur  in  the  non-prioritized 
choice  then  either  a*  can  occur  in  the  prioritized  choice  or  some  action  of  higher 
priority. 

The  second  property  is  a  consequence  of  the  first  and  simply  says  that  ]T}< 
preserves  (local)  deadlock-freedom  :  if  some  action  can  be  executed  in  the  non- 
prioritized  choice  then  some  action  can  be  executed  in  the  prioritized  choice  and 
vice  versa. 


3  Parallel  composition 

In  this  section  we  define  parallel  composition  operators  by  following  the  same 
approach  as  in  the  previous  section.  First,  we  show  how  parallel  composition  on 
hybrid  systems  can  be  defined  as  an  extension  of  parallel  composition  on  untimed 
systems.  We  thus  obtain  general  composition  rules  for  which  some  practically 
interesting  cases  are  discussed  later. 


3.1  Extending  parallel  composition  from  untimed 
to  hybrid  systems 

Untimed  systems  We  consider  a  general  framework  for  the  composition  of 
untimed  terms.  For  this,  we  suppose  that  the  vocabulary  of  actions  A  contains 
a  distinguished  element  _L  and  consider  the  set  At  of  the  words  generated  from 
A  with  a  commutative  operator  i  such  that  for  all  a,  ai-L  =  _L.  The  operator  i 
is  usually  called  communication  function  [BK85].  The  words  are  used  to  repre¬ 
sent  synchronization  actions  that  is,  actions  that  result  from  the  synchronous 
occurrence  of  atomic  actions.  aiia2  =  -L  means  impossibility  of  synchronization. 

In  the  sequel,  we  suppose  that  there  are  no  other  simplification  rules  for  i 
but  the  rule  for  _L  and  that  a  word  apaj  is  given  in  reduced  form. 

Consider  the  language  of  terms  defined  by  the  grammar 

s  ::=  s  £  Sa  \  s  ||  s 

The  semantics  of  the  parallel  composition  operator  is  defined  by  the  rules 


Sl  -4  Si' 

s2  4  s2' 


Qi  i a2  7^  JL  implies 


Si  II  s2  ^-*2  Si'  ||  s2' 
s2||sia2>  s2'||si' 


si  ^  si'  implies 


Si  ||  s2  4  si'||s2 

«2  J|  ^  S2  ||  Si' 
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||  is  a  commutative  operator  that  can  be  expressed  in  terms  of  non-deterministic 
choice.  It  is  well-known  that  for  51  =  £\  cq.s;  and  q2  =  £).  aj-sj-> 

qi  ||®  =  ]T  ai'(Si  II92)  +  5Z  Msill®)  +  Yj  II 

i  j  i,j 

The  first  two  summands  start  with  interleaving  actions  while  the  last  one  starts 
with  synchronization  transitions  (only  terms  such  that  a^aj  7^  _L  appear). 

Hybrid  extension  of  Sa,  For  given  (V),  hi)  hybrid  extensions  of  qi  for  i—  1,2, 
a  hybrid  extension  (V,  h)  for  q\  ||  q2  is  defined  by  : 

~  V  =  V1xV2 

-  If  Tj  =  Si  Q  Si'  is  a  transition  of  qi  then  qi  \\q2  has  transitions  of  the  form 
r  =  Si  ||  s2  A  S\  ||  s2‘  where  A  =  a*  or  A  =  aiia2.  We  take  h(r)  =  (sx  || 

52,>Sl  X  >*2)  h^]  (si'llsa'.^i'  x  >S2<)  where 

•  h( A)  =  hi(ai)  if  A  =  aj  and  h( A)  =  hi  (01)1/12(02)  if  A  =  Oiia2  (we  extend 
the  communication  function  in  an  appropriate  manner  to  hybrid  actions, 
see  below). 

•  >Sl  x  t>S2  :  (Vi  x  V2)  x  R+  ->  Vi  x  V2  is  such  that  (vi,v2)(>Sl  x  >S2)t  = 
(Vl  >Sl  t,V2  >S2  t). 

This  definition  leads,  by  taking  bi  —  hi(oj)  and  bj  =  h2(a,j),  to  a  scheme  of 
expansion  theorem  for  parallel  composition  where  ®  and  0  are  arbitrary  choice 
operators  (as  defined  in  the  previous  section  and  in  [BS97a])  : 

h(«i  II®)  =  hi (9i)||h2(®)  =  £i  hj.hi(s»)  ||  Yjj  bj-h2(sj) 

=  ©j  bi-(hi(si)\\Y)j  bj.h2(sj))  ©  bj.ih^WEi  bi-hi(si)) 

©  ©i,j  (fiilbj).(hi{si)  ||  h2(sj)) 

If  ®  and  0  are  non-deterministic  choice  operators  then  maximal  progress  is 
not  guaranteed  as  an  interleaving  action  may  be  executed  when  synchronization 
is  possible.  For  this  reason,  we  define  parallel  composition  as  the  priority  choice 
of  the  expanded  terms  with  infinite  priority  to  synchronization  actions  b^bj  over 
the  interleaving  actions  bi  and  bj.  This  corresponds  to  priority  choice  for  the 
minimal  order  <  such  that  a,  <<*,  dij  and  aj  <00  Oij  for  any  i,  j.  By  using  the 
notations 

B  =  {fc».(hi(sj)||£V  bj.h2(sj))}i  U  {bj.(h2(sj)  ||  bi.hi(si))}j 

U{(bi>bj).(hi(si)  ||  h2(sj))}ij 

and  hi(qi)  =  £b  bi.hi(si)  and  h2(q2)  =  Y)j  bj.h2(sj),  we  have 
hi(si)  ||  h2(s2)  =  £<  B  which  is  equivalent  to 


£i  ^'•(^i(si)ll^2(s2))+£i  bj'  .(h2(sj)\\  hi(si))+Y)itj  bi\bj.(hi(si)  ||  h2(sj)) 
(figure  3) 

In  the  above  term,  b/,  bj'  are  the  actions  obtained  by  restricting  bi  and  bj  due 
to  priority.  We  now  define  b^bj. 
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Si  ||  52 


h%  h 

v  \ 

i  \ 

hy 

(*li>«i)  (S2,>s2) 


(si||s2,>Sl  ||  >a3) 


(■Sl'j  >*i')  (S2,;>s2') 

Fig.  3.  Hybrid  extension  for  parallel  composition 


Suppose  that  h(ai)  =  bi  =  (a;,  gi,di,  fi)  for  i  €  I.  If  apaj  =  ±  then  we 
take  bpbj  =  ±.  Otherwise,  we  write  bij  =  bjify  =  h(apaj)  =  hi(ai)<h2(aj )  = 
(ciiUij,gij,dij,  fi  x  fj)  where 

fi  x  fj  ■  Vi  x  V2  ->  Vi  x  V2  such  that  (fi  x  ff)(v i,v2)  =  (fi(vi),fj(v2)). 

We  propose  in  the  next  subsection  a  method  for  defining  gij  and  di,j  by  re¬ 
specting  the  requirements  gij  =>  ^  V  gj  and  dij  =>  d,  V  dj  which  mean  that  bij 
may  be  caused  only  by  bi  or  bj . 

Proposition  7.  If  9ij  =>  gi  V  gj ,  the  above  definition  guarantees  the  following 
properties 

1.  local  deadlock-freedom  preservation  that  is, 

0(\f  v  V  9i)  =  0(\/  9'i  v  V  9'i  V  V  9ij) 

i&i  j€J  i€i  jeJ  iei.jeJ 

2.  maximal  progress  that  is,  interleaving  actions  are  executed  only  if  synchro¬ 
nizations  bi,j  are  disabled  forever. 
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It  is  important  to  notice  that  these  properties  hold  independently  of  the  way 
the  guards  and  deadlines  of  the  synchronization  actions  are  defined. 

3.2  Synchronization  modes  of  hybrid  actions 

Given  two  hybrid  actions  bi,  b2  we  define  the  guard  g\.2  and  the  deadline  di.2 
of  the  hybrid  action  bi  1&2  =  (<b  l&2, 9i,2)  d1|2,  fi,i)  resulting  from  their  apropriate 
synchronization. 


Composition  of  guards  :  synchronization  modes  As  already  discussed 
in  [SY96,BS97b],  for  timed  and  hybrid  systems  the  guard  gi>2  can  be  in  general 
a  modal  formula  in  terms  of  the  guards  gx  and  52-  We  consider  in  particular 
three  important  synchronization  modes  : 

AND-synchronization  requires  that  synchronization  takes  place  only  when 
both  synchronized  transitions  can  be  executed.  This  means  <71,2  =  gi  A  <72-  Con¬ 
sider  the  example  of  two  synchronizing  actions  with  guards  g\  and  g2.  Then,  in 
general  interleaving  actions  are  needed  to  avoid  deadlock.  Their  guards  in  this 
case  will  be  g^'  =  gi  A  □-'(51  A  g2)  and  g2'  =  g2  A  A  g2). 

MAX-synchronization  requires  that  the  first  of  the  two  synchronized  ac¬ 
tions  that  becomes  enabled  awaits  for  the  other  to  become  enabled.  The  enabling 
of  the  latest  action  triggers  synchronization.  A  consequence  of  this  assumption 
is  that  waiting  may  be  unbounded.  For  a  given  execution  trace,  the  time  inter¬ 
val  in  which  the  synchronized  action  is  enabled  has  as  lower  bound  the  max¬ 
imum  of  the  times  they  become  enabled  and  as  upper  bound  the  maximum 
of  the  times  they  become  disabled.  The  corresponding  guard  <71j2  is  defined  by 


Fig.  4.  AND-synchronization 
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pi, 2  =  (3>pi  A  go)  V  (51 A  <£<72)-  For  this  condition  to  express  synchronization  with 
waiting,  it  is  necessary  that  if  Si  and  S2  are  the  source  states  of  the  transitions 
labeled  by  b\  and  62 ,  these  states  should  always  be  reached  with  values  v±  and  v2 
such  that  Vi  |=Si  Ogi  (remember  that  the  meaning  of  O  depends  of  the  evolution 
function  >gj).  In  the  case  where  there  are  only  two  synchronizing  actions  whose 

A 


P2 


Pi 

-J1 

Fig.  5.  MAX-synchronization 

guards  are  51  and  <72,  the  interleaving  actions  will  have  guards  pi'  =  pi  A  □-'pi, 2 
and  g-i  —  g2  A  □—>Pi,25  which  can  be  simplified  into  gi  =  gi  A  □□  -1^2  and 
92  =  p2  A  □□  -151. 


MIN-synchronization  is  the  dual  of  the  previous  synchronization  mode, 
and  it  implies  that  the  synchronization  action  Oi  io2  can  occur  when  one  of  the 
two  synchronizing  actions  is  enabled  and  the  other  will  be  eventually  enabled. 
That  is,  synchronization  may  occur  in  a  time  interval  whose  lower  bound  is 
the  minimum  of  the  times  they  become  enabled  and  the  upper  bound  is  the 
minimum  of  the  times  they  become  disabled.  The  corresponding  guard  plt 2  is 
described  by  the  formula  pi,2  =  (Opi  A  g2)  V  (gi  A  Og2).  In  the  case  where 


Pi 

Fig.  6.  MIN-synchronization 
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there  are  only  two  synchronizing  actions  with  guards  pi  and  <72 ,  the  interleaving 
actions  will  have  guards  pi'  =  pi  A  CHpi^  =  pi  A  □_’p2  and  §2'  =  52  A  CHpi . 


Composition  of  deadlines  :  typed  transitions  For  two  given  hybrid  actions 
£>1  =  (a,;,  di.fi),  i  =  1,2  the  deadline  dip  corresponding  to  &1I&2  must  satisfy 
the  following  condition 

di,2  =>  pi, 2  A  (di  V  d2) 

Of  course,  the  most  urgent  solution  is  to  take  dip  —  pi, 2  A  (di  V  dz)  but  this 
often  leads  to  situations  where  the  computed  deadline  dip  does  not  correspond 
to  the  intuition  [BS97a].  For  this  reason  but  also  to  introduce  a  simple  model 
where  deadlines  are  defined  from  guards  by  means  of  simple  assumptions  about 
urgency  of  the  actions,  we  slightly  modify  our  model. 

We  suppose  that  the  deadline  di  of  a  hybrid  action  bi  =  (aj,pi,di,/i)  is 
defined  by  a  function  Si  :  2V  — »  2y  such  that  Si(gt)  =  d;. 

An  example  of  such  a  function  is  4  ( falling  edge).  When  di  =  pi  4  we  have  a 
delayable  action  according  to  our  terminology.  Another  example  is  the  identity 
function  1  =  A g.g  which  can  be  used  to  define  eager  actions.  Finally,  a  trivial 
case  is  the  function  0  =  A g. false  that  allows  to  define  lazy  actions. 

We  call  the  function  Si  €  {  0 , !,  1  }  types  of  the  action.  Types  characterize 
the  urgency  of  an  action  which  is  minimal  for  0  and  maximal  for  1 .  Clearly, 
for  synchronization  between  bi  and  b2  it  is  necessary  to  define  Sip  such  that 


£1,2(01,2)  =>•  pi, 2  A  (£i(pi)  V  £2(02)) 


(a) 


Proposition  8.  The  following  table  gives  the  most  urgent  type  £1,2  satisfying 
(a)  for  any  mode  (AND,  MAX,  MIN)  in  terms  of  Si,  S2. 


s  5l 

£2 

0 

4 

1 

0 

0 

0 

0 

1 

0 

4 

4 

1 

0 

4 

1 

This  result  allows  to  reason  only  in  terms  of  types  of  actions  and  drastically 
simplifies  the  general  framework. 

To  complete  the  results  we  show  that  the  type  of  a  transition  is  preserved  by 
priorities  and  thus  the  type  of  interleaving  actions  is  the  same  as  the  type  of  the 
corresponding  synchronizing  transitions. 


Proposition  9.  If  di  =  pi  or  di  =  gi  l  and  gf  =  Pi  A  d^p  for  some  g,  then 
df  =  di  A  pi'  is  such  that  df  =  gf  or  df  =  gf  )  respectively. 
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4  Applications 

As  an  application  of  the  above  results,  we  define  a  parallel  composition  op¬ 
erator  for  typed  hybrid  actions  that  is,  actions  bi  =  (a,i,gi,  <Sj,  fi)  such  that 
St  £  {  0 ,4.,  1 }. 

We  suppose  that  for  each  pair  of  actions  (01,02)  the  synchronization  mode  is 
given.  The  resulting  interleaving  and  synchronization  actions  depend  on  the  syn¬ 
chronization  mode.  The  synchronization  action  61,2  is  61,2  =  (01)02,  gi,2,  £1,2,  fifi) 
where  51,2  is  defined  in  3.2  according  to  the  synchronization  mode  and  61,2  is  as 
specified  in  the  table  given  in  3.2.  The  interleaving  actions  b'i  are  of  the  form 
b'i  =  {cLi,g'i,8'i,fi)  where  g\  =  g{  A  0-51,2  and  8'i  =  8i  (by  proposition  9)  for 
i  =  1,2. 

Some  applications  of  this  general  framework  can  be  found  in  [SY96]  where  it  is 
shown  that  for  timed  Petri  nets  the  underlying  synchronization  mode  is  MAX- 
synchronization.  This  allows  to  represent  state  machine  decomposable  timed 
Petri  nets  as  the  MAX-parallel  composition  of  timed  automata  with  delayable 
actions  and  makes  possible  the  application  of  efficient  timing  analysis  techniques 
to  timed  Petri  nets. 

An  application  domain  for  our  results  is  modeling  of  multimedia  systems 
where  combinations  of  the  different  synchronization  modes  are  necessary  for  a 
natural  description  of  timing  constraints.  Several  formalisms  used  in  this  area 
offer  such  possibilities.  One  of  the  most  general  seems  to  be  the  model  of  Time 
Stream  Petri  Nets,  by  Diaz  et  al[SDLdSS96].  These  are  Petri  nets  with  interval 
time  constraints  where  nine  different  synchronization  modes  can  be  associated 
with  delayable  transitions.  It  can  be  shown  that  the  guards  corresponding  to 
the  different  synchronization  modes  can  be  expressed  compositionally  as  modal 
formulas  in  terms  of  the  guards  of  the  components. 

We  are  currently  studying  the  application  of  the  results  to  define  the  seman¬ 
tics  of  the  language  used  in  the  MADEUS  tool  for  the  specification  of  multimedia 
documents  [JLSIR97].  This  language  allows  the  description  of  timing  constraints 
by  means  of  logical  and  relational  operators  used  to  express  causality  and  syn¬ 
chronization  relations.  The  interesting  fact  is  that  very  often  a  combination  of 
the  three  synchronization  types  is  necessary  to  specify  coordination.  The  results 
of  the  study  will  be  published  in  [BST97]. 


5  Discussion 

We  present  a  general  framework  for  the  composition  of  hybrid  automata.  We 
show  that  from  elementary  hybrid  actions,  choice  and  parallel  composition,  com¬ 
plex  systems  can  be  defined. 

The  main  difference  with  other  approaches  is  that  we  associate  with  actions 
time  progress  conditions  which  specify  for  how  long  an  enabled  action  may  wait. 
Time  progress  conditions  at  a  given  state  depend  on  the  urgency  of  the  enabled 
actions. 
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The  big  variety  of  choice  and  parallel  composition  operators  results  from 
the  different  ways  enabledness  and  urgency  of  components  can  be  combined. 
Contrary  to  untimed  systems,  it  is  necessary  to  use  modalities  to  express  different 
kinds  of  composition  that  are  of  practical  interest.  However,  for  many  tractable 
subclasses  of  hybrid  automata  modal  operators  can  be  eliminated,  e.g.  for  linear 
hybrid  automata  ([ACH+95]).  In  that  case,  modalities  axe  used  just  for  notation 
convenience  and  do  not  modify  the  basic  model. 

Different  choice  operators  can  be  expressed  in  terms  of  a  basic  non-deterministic 
choice  operator  which  combines  the  behaviors  of  the  contributing  actions  so  as 
to  obtain  maximum  urgency.  Restricting  guards  to  respect  priorities  leads  to  the 
definition  of  less  prompt  choice  operators.  Other  kinds  of  restrictions  remain  to 
be  investigated. 

Priority  choice  plays  an  important  role  for  the  definition  of  a  parallel  com¬ 
position  operator  that  respects  maximal  progress  and  avoids  deadlock  by  means 
of  appropriate  interleaving  actions. 

The  proposed  framework  is  very  general.  Validation  by  practice  is  necessary. 
It  is  important  to  notice  that  so  far  AND-synchronization  has  been  used  for  timed 
process  algebras  and  the  different  timed  extensions  of  the  language  Lotos  [LL95] 
as  well  as  for  timed  and  hybrid  automata.  MAX-synchronization  is  implicitly 
used  in  the  different  extensions  of  timed  Petri  nets. 

We  believe  that  AND-synchronization  is  more  appropriate  for  responsive 
synchronization,  where  process  coordination  is  supposed  to  be  strong  enough  to 
impose  that  all  the  timing  constraints  of  the  contributing  actions  are  respected. 
This  is  often  the  case  for  input/output,  sender/receiver  synchronization  where 
one  of  the  actions  is  not  submitted  to  deadline  constraints.  For  example,  in 
the  train-gate  example  often  mentioned  in  the  literature  [ACH+95]  communica¬ 
tion  between  the  two  processes  (train  and  gate)  is  responsive  as  the  gate  reacts 
to  input  signals  sent  by  the  train.  Applying  AND-synchronization  to  obtain 
the  product  automaton  means  that  the  deadlines  and  upper  bounds  of  each 
process  must  be  respected.  On  the  contrary,  synchronization  between  the  gate 
process  and  a  car  stopped  before  the  gate  should  allow  for  waiting  and  MAX- 
synchronization  seems  more  appropriate  in  this  case.  We  believe  that  MAX- 
synchronization  should  be  used  to  extend  parallel  composition  of  asynchronous 
processes  a  la  CSP.  When  a  hybrid  system  is  obtained  as  the  hybrid  extension 
of  an  untimed  system  of  communicating  automata,  it  is  seems  natural  to  use 
MAX-synchronization  for  actions  that  can  wait  indefinitely  before  synchroniz¬ 
ing. 

Finally,  MIN-synchronization  corresponds  to  a  kind  of  (symmetric)  interrupt 
and  one  can  hardly  imagine  examples  where  the  use  of  this  synchronization  mode 
alone  suffices. 

Acknowledgement  :  We  thank  S.  Graf,  S.  Tripakis,  E.  Olive  as  well  as 
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An  Equivalence  Between  a  Control  Network  and 
a  Switched  Hybrid  System 


Linda  Bushnell*,  Octavian  Beldiman  **  and  Gregory  Walsh  *** 


Abstract.  A  simple  model  for  ideal  control  networks  is  proposed  in  this 
paper.  A  model  for  hybrid  systems  due  to  Witsenhausen  is  extended  by 
adding  both  a  discrete  output  and  input.  This  extended  model  is  used 
for  modeling  an  ideal  network  of  interactive  hybrid  systems.  An  equiv¬ 
alence  is  established  between  the  network  model  and  the  Witsenhausen 
model.  This  equivalence  allows  for  simulating  complicated  systems,  and 
extending  different  properties  of  Witsenhausen  type  systems  to  control 
network  systems.  A  simple  HVAC  application  is  modeled  using  the  above 
equivalence. 


1  Introduction 

Recently,  the  area  of  control  networks  has  attracted  increased  interest.  Control 
networks  are  seen  as  a  possible  way  to  analyze  and  design  complex  dynamical 
systems  that  either  are  scattered  over  a  large  area,  or  have  real-time  require¬ 
ments  that  make  the  data  transmission  process  a  critical  one.  Several  architec¬ 
ture  standards  have  been  developed  in  industry.  Some  of  the  most  representative 
are  the  BACnet  (building  automation  and  control  network)  standard  and  the 
CAN  (controller  area  network)  standard. 

The  BACnet  has  been  designed  to  provide  a  standard  communication  and 
environmental  control  network  for  commercial  and  government  buildings  and 
campus  environments.  The  primary  application  for  this  standard  is  HVAC  con¬ 
trol.  CAN  has  been  designed  primarily  for  automotive  applications.  For  instance, 
Brauninger  et.  al.  [15]  use  the  CAN  standard  to  accommodate  the  growing  need 
for  data  communications  in  trucks  and  busses.  Several  other  standards  axe  also 
available.  Ozgiiner  et.  al.  [14]  use  the  control  network  standard  FOSU  (Ford-Ohio 
State  University)  to  control  automotive  suspension. 

Modeling  and  analysis  of  these  networks  have  just  started  to  develop.  Al¬ 
though  some  introductory  papers  have  been  published  ([2], [3])  very  few  papers 
discuss  modeling  or  analysis  issues.  In  [4]  Walsh  studies  the  race  condition  be¬ 
havior  for  networks  of  hybrid  systems.  In  [5],  Tindell  et.  al.  give  bounds  on  the 
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message  response  times  in  a  CAN  network.  More  recently,  Wong  and  Brockett 
[10]  study  the  effect  of  the  communication  bandwidth  constraints  upon  these 
systems. 

The  subject  of  control  networks  is  strongly  connected  to  the  modeling  and 
analysis  of  hybrid  systems.  A  vast  amount  of  literature  can  be  found  in  that 
direction,  in  both  the  field  of  control  and  computer  science  ([6],  [7],  [8],  [9],  [11], 
[12])- 

The  Witsenhausen  model  is  an  older  and  simpler  model  [1],  and  seems  to 
be  a  good  starting  point  for  modeling  control  networks.  Our  proposed  model 
allows  for  distinguishing  between  the  low-level,  continuous  dynamics  and  the 
high-level,  discrete  switching  commands  in  the  network.  The  high-level  strategy 
is  implemented  with  regard  to  the  way  the  systems  respond  to  events.  We  will 
see  that  this  is  actually  established  by  choosing  the  discrete  input  transition  sets 
and  network  priorities  assignments. 

A  slightly  modified  version  of  the  Witsenhausen  model  is  presented  in  section 
2.  The  modification  consists  of  adding  a  discrete  output  to  announce  a  transition 
of  the  discrete  state.  Then  extensions  of  this  model  are  presented  in  section  3. 
A  network  of  these  systems  is  proven  to  be  equivalent  to  a  Witsenhausen  model 
in  section  4.  Each  of  the  sections  contains  an  example  for  the  models  presented. 
In  section  5  we  present  a  simple  HVAC  application  and  we  used  the  equivalence 
in  section  4  to  build  a  simulator  for  it. 

2  The  Witsenhausen  Model 

Without  loss  of  generality  we  consider  only  autonomous  models.  Time-varying 
vector  fields  may  be  made  autonomous  by  adding  time  as  a  new  state. 

The  Witsenhausen  model  for  hybrid  systems  is  developed  as  follows: 

-  state:  (m,  x)  E  M  x  5ft",  where  M  is  a  finite  set  of  integers. 

-  transition  sets:  A  transition  from  discrete  state  i  to  discrete  state  j  is  trig¬ 
gered  when  the  continuous  state  x  reaches  a  given  set  Jy  in  5ft".  Define  the 
arrival  and  departure  sets  as:  Jf  =  U jJji  and  J~  =  U jJ,j. 

There  are  three  assumptions  on  the  transition  sets: 

Assumption  1  (1)  for  any  three  distinct  indices  i,j,k  the  sets  Jij  and  J i* 
are  distinct;  (2)  for  all  i  in  M,  the  set  J~  is  closed;  and  (3)  for  all  i  in  M 
the  sets  J~  and  .Jf~  are  disjoint. 

-  vector  field:  f  :  M  x  5ft"  -4  5ft". 

-  trajectory:  Suppose  the  initial  state  is  mo-  As  long  as  x  £  J~0  the  system 
evolves  with  the  vector  field  /(mo,  •)  as 

x(t)  =  f(mo,x(t)). 

When  the  state  reaches  the  set  J~Q  ,  because  this  set  is  closed  and  the  path  is 
compact,  there  is  an  earlier  intersection  time  ti  corresponding  to  X\  E  J~ 
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This  xi  can  belong  to  only  one  of  the  sets  Jmoi.  Let  it  be  Jmomi  ■  From  ti 
the  discrete  state  is  changed  to  mi,  and  the  system  evolves  as: 

x(t)  =  /(mi,i(t)) 
with  initial  condition  x(ti)  —  X\. 

-  discrete  output:  Any  time  when  a  switching  takes  place,  a  discrete  output  is 
generated  as  a  function  of  the  new  discrete  state:  Oi  =  d(mi)  at  time  t\. 

The  model  may  also  include  a  control  input  u  :  M  x  5ft  —►  with  u(m,  ■) 
continuous.  The  vector  space  would  then  be  defined  as: 

/  :  M  x  x  3T  -+  &n. 

The  control  is  usually  a  function  of  time  and  the  current  state.  The  closed 
loop  system,  where  the  control  is  replaced  by  its  dependence  on  the  state  is  of 
the  form: 


x(t)  =  f(m,  x(t),  um(t,  x(t)))  =  g(m,  x(t)),m  6  M. 

An  example  of  a  trajectory  for  a  Witsenhausen  system  showing  a  transition 
from  discrete  state  mo  to  discrete  state  mi  is  presented  in  figure  1. 


Fig.  1.  An  example  of  a  trajectory  for  a  Witsenhausen  system. 


To  summarize,  a  Witsenhausen  system  is  defined  by  the  structure: 

(M,  O,  f,  d,  u,  J),  where:  M  is  a  finite  set  of  integers  representing  the  discrete 
state  space,  Q  is  a  finite  set  of  integers  representing  the  discrete  output  set, 
/  :  M  x  5f£n  x  is  a  function  of  class  C1  in  the  second  argument,  d:  MxJ  ->■  M 
is  the  discrete  state  transition  function  that  indicates  the  next  discrete  state 
when  the  continuous  state  has  reached  one  of  the  transition  sets,  w  :  M  -¥  (~i  is 
the  discrete  output  function  and  J  6  V($tn)  is  the  set  of  the  transitions  sets. 
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Fig.  2.  Hysteresis  function  for  Example  1. 


To  illustrate  the  above  discussion,  an  example  of  a  hybrid  system  due  to 
Tavernini  [9]  is  described  as  a  Witsenhausen  system: 

Example  1.  Consider  the  system: 


Xl  -X2  -<p{x i) 

x2  =  H(ip(x i,x2))  -  (j>{x 2)  (1) 

where  ip,  and  <p  are  continuous,  and  H  is  a  multi-valued  function  as  in  figure  2. 

For  this  system  we  have  three  discrete  states  corresponding  to  the  three 
possible  values  of  H:  M  —  {0, 1, 2}.  For  each  discrete  state  we  associate  a  discrete 
output  by:  w  :  M  ->  Q,  w(m)  =  m,  so  J?  =  {0, 1,2}.  The  field  /  is  obtained  for 
each  discrete  state  replacing  the  corresponding  value  of  H. 

The  set  of  transition  sets  is 

J  =  {Joi,  ^02,  Jio,  J2o},  where:  J0 1  =  {( x,y )  :  ip[x,y)  <  a},  J02  =  {(x, y)  : 
ip(x,y)  >  5},  Jio  =  {(a:,y)  :  ip(x,y)  >  /?}  and  J20  =  {( x,y )  :  xp(x,y)  <  7}. 

The  discrete  state  transition  function  d  is  given  by: 


d 

0 

1 

2 

Jo  1 

1 

1 

2 

J02 

2 

1 

2 

Jio 

0 

0 

2 

J20 

0 

1 

0 

For  example,  if  the  system  is  in  the  discrete  state  0,  and  the  continuous  state 
reaches  the  transition  set  J01,  then  the  discrete  state  will  switch  to  state  1.  If 
the  continuous  state  then  reaches  the  set  J02,  the  discrete  state  remains  1. 
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3  Extended  Models 

The  Witsenhausen  model  covers  a  large  class  of  hybrid  systems,  although  some 
discrete  phenomena  (like  autonomous  or  controlled  jumps  in  the  continuous 
state)  are  not  taken  into  account.  The  model  lacks  the  ability  to  exchange  infor¬ 
mation  with  the  external  world.  Even  with  adding  a  discrete  output  function,  as 
in  section  2  the  model  still  has  no  discrete  input  capabilities. 

In  a  network  environment,  however,  the  systems  have  to  exchange  informa¬ 
tion.  To  use  a  Witsenhausen  model  for  these  systems,  it  has  to  be  augmented 
with  discrete  inputs.  The  effect  of  these  discrete  inputs  will  be  to  change  the 
control  law,  and  hence  the  vector  field  of  the  closed  loop  system,  rather  than  the 
vector  field  of  the  open  loop  system.  This  extension  is  presented  in  this  section. 


3.1  State  Dependent  Control  Switching 

The  first  extension  is  the  case  where  the  control  can  be  switched  when  the 
continuous  state  meets  certain  conditions,  even  if  the  vector  field  is  not  modified. 

We  assume  that  the  control  changes  when  the  continuous  state  reaches  some 
transition  sets  that  respect  condition  similar  to  those  from  the  Witsenhausen 
model. 

For  each  discrete  state  the  control  may  be  one  of  a  finite  numbers  of  controls, 
depending  on  the  continuous  state.  Then  we  can  replace  that  discrete  state  with 
a  finite  number  of  discrete  states,  one  for  each  possible  control. 

Using  this  method  we  obtain  a  new  set  of  discrete  states  M.  The  only  new 
switchings  are  those  introduced  by  a  change  in  control  and  we  assumed  that  the 
transition  sets  for  these  switching  respect  Assumption  1. 

For  each  discrete  state  m  €  M,  we  have  a  continuous  input: 

um(t)  =  um(t,x(t)),m  6  M. 

The  switching  in  the  discrete  state  is  governed  by  the  continuous  state,  therefore 
this  extended  system  is  of  Witsenhausen  type. 

Such  systems  are  met  when  the  control  strategy  is  different  for  different 
regions  in  the  state  space. 

Example  2.  An  example  of  such  system  is  an  inverted  pendulum.  For  small  de¬ 
viation,  the  linearization  is  a  good  approximation  and  a  classical  controller,  e.g., 
state  feedback,  can  be  used.  When  the  pendulum  is  outside  this  region  the  con¬ 
troller  can  be  switched  to  some  other  controller,  e.g.,  a  bang-bang  controller. 

3.2  Discrete  External  Commands 

In  a  more  general  context,  the  control  can  be  switched  not  only  as  a  consequence 
of  reaching  some  regions  in  the  state  space,  but  when  receiving  some  external 
commands  as  well.  A  typical  example  of  such  switching  is  when  a  hybrid  system 
receives  a  reset  command:  the  control  is  switched  to  the  control  law  correspond¬ 
ing  to  a  given  initial  discrete  state. 
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These  systems  are  no  longer  equivalent  to  the  Witsenhausen  systems  de¬ 
scribed  in  section  2.  For  this  extension,  the  discrete  commands  can  come  at  any 
time,  no  matter  where  the  continuous  state  is.  Therefore,  the  switching  in  the 
control,  and  thus  the  discrete  state  is  not  determined  by  the  continuous  state 
alone. 

We  will  assume  that  at  a  given  time  the  system  receives  a  finite  sequence  of 
inputs.  The  equation  for  the  continuous  state  is  the  same: 

x(t)  =  f(m,x(t),u(m,t)) 

but  the  switching  in  the  state  is  no  longer  triggered  only  when  x{t)  reaches  J~. 

The  system  now  has  an  additional  discrete  input  Vk  6  V,  where  V  is  a  finite 
set.  For  any  discrete  states  m,n  £  M  there  is  a  set  Vmn  C  V,  maybe  empty, 
having  the  property  that  if  the  system  was  in  the  discrete  state  m  and  received 
a  discrete  input  Vk  €  Vmn,  then  the  system  switches  to  the  discrete  state  n. 

Denote  by  =  |J iVim  the  arrival  input  set  for  state  m,  i.e.,  the  set  of 
discrete  inputs  that  would  switch  the  system  to  state  m.  Let  V~  =  (Jj  Vm%  be 
the  departure  input  set  for  state  m,  that  is,  the  set  of  all  discrete  inputs  that 
would  force  the  system  to  leave  the  discrete  state  m. 

Assumptions  similar  to  those  for  the  transition  sets  in  section  2  are  needed: 

Assumption  2  (1)  for  alii,  j,m  €  M  the  sets  Vmi  andVmj  are  distinct  if  i  ^  j , 
and  (2)  for  all  m  €  M  the  sets  V~  and  Vjf  are  disjoint. 

We  can  define  V  €  V(V)  the  set  of  the  input  transition  sets,  and  the  discrete- 
input  discrete-state  transition  function  v  :  Mx  V  ->■  M,  such  that  v(m,  Vmn)  =  n 
(Vmn  is  the  set  of  discrete  inputs  that  would  produce  a  transition  from  discrete 
state  m  in  discrete  state  n). 

After  receiving  a  discrete  input  the  system  jumps  in  the  corresponding  state 
(which  may  be  the  same  state).  If  the  continuous  state  is  in  one  of  the  transition 
sets  for  that  state,  the  system  jumps  instantaneously  in  the  new  state. 

In  order  to  avoid  a  loop  when  connecting  these  system  in  a  network  we 
assume  that  the  discrete  output  is  triggered  by  the  continuous  state  only  (more 
precisely  when  the  continuous  state  reaches  one  of  the  transition  sets). 

The  mathematical  model  of  these  systems  is  therefore  represented  as 

(M,  V,  fi,  f,  d,  u>,  J,  V,  v) ,  where:  (M,  fl,f,d,uj,J)  is  a  Witsenhausen  system 
defined  in  section  2,  V  is  a  finite  set  of  integers  representing  the  discrete  input 
set,  V  €  Viy)  is  the  set  of  discrete  transition  sets  and  v  :  M  x  V  -A  M  is  the 
discrete-input  discrete-state  transition  function  that  indicates  the  next  discrete 
state  corresponding  to  a  given  input 

We  will  call  such  a  system  an  extended  Witsenhausen  system. 

Remark.  The  only  assumption  we  made  about  the  time  distribution  of  the  dis¬ 
crete  input  is  that  at  a  given  time  the  system  receives  a  finite  sequence  of  inputs. 
Suppose  that  at  a  given  time  the  system  receives  the  inputs  {v\,V2 Then 
the  resulting  discrete  state  is  obtained  by  sequentially  processing  these  inputs. 
More  exactly,  the  next  discrete  state  will  be  v(v(. .  .v(mo,Vi), . . .  ,vn-.i),vn), 
where  mo  is  the  initial  discrete  state. 
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The  extended  Witsenhausen  systems  interact  with  the  environment  via  dis¬ 
crete  inputs  and  discrete  outputs.  A  block  diagram  for  such  a  system  is  shown 
in  figure  3. 


Fig.  3.  Block  diagram  for  an  extended  Witsenhausen  system. The  solid  lines  represent 
continuous  signals  and  the  dotted  lines  represent  discrete  signals. 


These  are  the  types  of  systems  that  one  would  expect  in  a  network  envi¬ 
ronment.  Different  systems  in  the  network  interact  with  each  other,  possibly 
changing  their  internal  state  when  receiving  messages  from  the  other  systems 
in  the  network.  Messages  are  external  commands  that  do  not  depend  on  the 
continuous  state  of  the  system,  at  least  not  directly.  From  this  point  of  view, 
each  individual  system  in  the  network  is  of  the  extended  Witsenhausen  type. 

In  the  next  section  we  will  assume  that  all  the  extended  Witsenhausen  sys¬ 
tems  have  the  same  input  and  output  alphabet. 

4  A  Network  of  Systems 

A  control  network  is  a  collection  of  hybrid  systems  exchanging  information  to 
achieve  a  common  goal.  The  term  information  stresses  the  fact  that  the  systems 
exchange  messages  in  response  to  some  change  in  their  discrete  states.  A  control 
network  is  not  the  communication  channel  between  a  plant  and  its  controller. 

In  this  section,  we  will  show  a  way  to  model  a  network  composed  of  extended 
Witsenhausen  systems. 

There  are  a  number  of  ways  one  can  connect  some  extended  Witsenhausen 
systems: 

1.  parallel  connection:  The  systems  have  the  same  discrete  input.  This  connec¬ 
tion  is  trivial  in  the  sense  that  each  system  evolves  individually,  without 
interacting  with  the  others. 
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2.  serial  connection:  The  discrete  output  of  a  system  is  the  discrete  input  of 
the  next  system.  Such  connection  could  model  a  pipelined  environment,  such 
as  a  manufacturing  line.  Each  stage  signals  when  it  finishes  processing  an 
item.  The  the  next  stage  receives  this  signal  and  knows  that  it  has  to  start 
working  on  the  item. 

3.  loop  connection:  The  discrete  output  of  one  system  is  the  discrete  input  of 
the  second,  and  the  discrete  output  of  the  second  is  the  discrete  input  of  the 
first.  This  can  model  any  kind  of  hybrid  plant  /  hybrid  controller  system. 

4.  network  connection:  This  is  the  connection  we  are  interested  in  for  this  paper. 
The  discrete  output  of  a  system  is  the  discrete  input  of  all  the  other  systems 
(except  itself).  Each  of  the  systems  has  a  priority,  such  that  if  several  systems 
send  a  discrete  output  at  the  same  time,  they  will  be  arranged  in  the  order 
of  the  priorities.  In  that  case  all  the  systems  will  receive  a  finite  ordered 
sequence  of  inputs,  and  will  process  it  according  with  the  above  remark. 

Note  that  the  network  connection  described  above  neglects  the  transmission 
delays  associated  with  the  network.  Hence,  any  two  systems  in  the  network  can 
communicate  with  each  other  without  transmission  delays.  A  block  diagram  of 
a  network  connection  of  extended  Witsenhausen  systems  is  shown  in  figure  4. 


Fig.  4.  Block  diagram  of  a  network  connection. 


Consider  N  extended  Witsenhausen  hybrid  systems  connected  in  a  network, 
labeled  in  the  decreasing  order  of  their  collision  priorities: 

{Mi,  Vi,  Qi,  3 i,  Vj,  Vi),  i  —  1, . . . ,  N. 

We  now  state  the  main  proposition  of  this  paper: 
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Proposition  1.  A  network  of  N  extended  Witsenhausen  hybrid  systems  is  equiv¬ 
alent  to  a  Witsenhausen  system  obtained  by  concatenating  the  individual  systems. 

More  precisely,  the  system  obtained  by  concatenating  the  individual  systems  is 
(M,  Q,  f,d,u,J),  where: 

-  M  =  Mi  x  M2  x  ■  •  •  x  Mn 

-  fi  =  Oi  X  /?2  X  •  •  ■  X 

-  f  =  [fu  f2,  ■  ■  ■ ,  In]T 

-  U  =  (ui,U>2,...,Vn) 

-  J  =  {Ai  x  A2  x  •  •  •  x  An\Ai  £  Ji  or  ELB*  €  Ji,Ai  =  C(Bi)  Vi  and  there 
is  at  least  an  i  for  which  Ai  £  Ji},  where  C  is  the  usual  notation  for  set 
complement. 

-  d  is  the  discrete  state  transition  function  which  is  defined  as  follows: 

Let  m  =  (mi,  m2, . . . ,  m #)  €  M  and  J  =  (A1,  A2, . . . ,  AN)  €  J.  We  have 
to  define  n  =  (ni, 712, . . . , njv)  such  that  n  =  d(m,  J). 

Construct  the  sequence  {ik}i<k<r  of  indices  for  which  A.,k  £  Jik  (in  increas¬ 
ing  order).  Then  we  can  also  construct  the  sequence  {n*}i<*<r  such  that 
Vk  =  o>ik  (mik ,  A{k ) . 

Take  mk  =  dik  (m 4  ,Aik). 

For  the  other  components,  construct  iteratively  the  next  state,  considering 
as  a  sequence  of  discrete  inputs  the  sequence  {14}. 

Note  that  the  case  when  the  sequence  {i*}  has  more  than  one  element  cor¬ 
responds  to  a  collision  (because  several  systems  will  try  to  send  their  output 
on  the  network  at  the  same  time).  Then  the  network  will  broadcast  their 
output  in  the  order  of  their  priority  (due  to  our  assumption  that  the  sys¬ 
tems  has  been  labeled  in  decreasing  order  of  their  priorities,  e.g.,  system  1 
has  the  highest  priority). 

Remark.  For  this  composed  system  the  continuous  state  is  the  concatenation  of 
all  individual  continuous  states: 

x(t)  =  [x1(t),x2(t),...,xn(i)]T 

and  the  discrete  state  takes  values  in  the  Cartesian  product  of  the  discrete  state 
spaces  of  each  system  (still  a  finite  set): 

m  =  (mi,m2, ... ,mn )  £  Mi  x  M2  x  . . .  x  Mn. 

Proof.  We  have  to  prove  two  things:  first  we  have  to  prove  that  the  transition 
sets  for  the  network  respect  the  three  assumptions  needed  for  the  Witsenhausen 
model,  and  then  we  have  to  prove  that  the  switching  of  the  discrete  state  for  the 
network  is  triggered  by  its  continuous  state. 

We’ll  consider  N  =  2.  The  proof  for  a  general  N  is  a  simple  extension  of  this 
case. 

Suppose  we  aggregate  two  Witsenhausen  models.  One  of  them  has  continuous 
state  x(t)  £  M  and  discrete  state  d  £  D,  and  in  the  other  has  continuous  state 
y(t)  £  JV  and  discrete  state  e  £  E. 
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Denote  by  J^d  and  J~d  the  arrival  set  into  and  the  departure  set  from  the 
discrete  state  d  for  the  first  system,  and  by  and  J~e  the  arrival  set  into  and 
the  departure  set  from  the  discrete  state  e  for  the  second  system. 

Since  the  two  system  are  Witsenhausen,  the  sets  J~d  and  J+  are  closed  (in 
M,  respectively  N). 

Let’s  denote  by  Jde  and  Jde  the  arrival  set  into  and  the  departure  set  from 
the  discrete  state  (d,  e)  for  the  composed  system  (the  model  for  the  network). 

If  we  ignore  the  interaction  between  the  two  systems  (the  fact  that  the  switch¬ 
ing  in  the  discrete  state  of  one  of  the  systems  could  generate  a  message  through 
the  network  that  may  trigger  the  switching  of  the  discrete  state  for  the  second 
system)  then  we  have: 

JJe  =  (J~d  X  N)  U  (M  X  J-) 

Jt  =  (j&  x  C(J-))  U  (C(J-d)  x  J+) 

Indeed,  the  network  leaves  state  (d,e)  either  when  the  first  system  leaves 
state  d  or  when  the  second  system  leaves  state  e.  Similarly,  the  network  comes 
into  state  (d,  e )  either  when  the  first  system  comes  into  state  d  and  the  second 
does  not  leave  state  e  or  the  other  way  around. 

These  new  sets  respect  the  Assumption  1: 

1.  To  prove  that  J(le  H  J+  =  0,  suppose  that  there  is  a  point  in  this  intersection: 
(xiV)  €  Jde  fl  Jde.  Then  (x,y)  €  Jde.  So  either  x  E  Jxd  or  y  E  Jye.  In  both 
cases  ( x,y )  cannot  belong  to  Jde,  thus  the  departure  and  arrival  sets  are 
disjoint. 

2.  Jde  is  closed  because  it  is  a  finite  union  of  closed  sets. 

3.  The  third  assumption  (the  fact  that  the  sets  of  the  form  J{de){fg)  are  disjoint) 
is  ensured  by  the  fact  that  the  sets  Jx(d)(f)  and  Jx(e)(g)  are  disjoint  since  they 
are  transition  sets  for  Witsenhausen  systems  (and  the  former  sets  are  simple 
Cartesian  products  of  the  later  sets). 

However  this  does  not  take  into  account  the  switching  generated  by  sending 
messages  on  the  net.  Assume  now  that  there  is  some  interaction  between  the 
two  systems.  This  does  not  change  the  departure  sets  (only  their  distribution), 
but  affects  the  arrival  sets.  The  effect  is  that  one  arbitrary  transition  set,  let’s 
say  J (mn)(dn)  is  added  to  JJe  (the  transition  of  m  to  d  could  send  a  message  to 
trigger  n  to  e).  Then  we  have  a  problem  if  J(mn)(dn)  £  M  x  J~e. 

But  the  way  we  defined  the  transition  function  for  the  composed  system 
allows  us  to  get  rid  of  this  problem:  the  discrete  state  of  the  network  goes  directly 
to  the  final  state,  avoiding  the  possible  transparent  state.  So,  even  if  we  take  into 
account  the  messaging,  the  transition  sets  still  verify  the  assumptions  from  the 
Witsenhausen  model. 

The  only  thing  left  to  prove  is  that  a  change  in  the  discrete  state  is  triggered 
only  when  the  continuous  state  reaches  one  of  the  sets  in  J. 

A  change  in  the  discrete  state  of  the  overall  system  happens  if  and  only  if 
some  of  the  individual  systems  change  their  discrete  states.  An  individual  system 
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p  can  change  its  discrete  states  i  in  two  cases:  either  its  continuous  state  reached 
the  departure  set  J~  or  an  external  command  in  the  departure  input  set  V~ 
has  been  received  through  the  network. 

In  the  first  case  the  change  in  the  discrete  state  is  triggered  by  the  continuous 
state.  In  the  second  case,  let  q  be  the  system  that  issued  the  command.  System 
q  can  send  an  output  on  the  net  only  when  its  continuous  state  reaches  one 
of  the  transition  sets.  So  in  this  case,  the  change  in  the  discrete  state  of  the 
system  p  is  triggered  by  the  continuous  state  of  the  system  q.  That  means  that 
in  general,  the  change  in  the  discrete  state  of  the  composed  system  is  triggered 
by  its  continuous  state. 

This  proves  the  fact  that  the  system  obtained  by  concatenating  all  the  indi¬ 
vidual  system  from  the  network  is  of  Witsenhausen  type. 
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Example  3.  Consider  two  extended  Witsenhausen  systems: 


Xiit)  =  fi(qi,Xi),i  =  1,2 

having  two  discrete  states  qi  £  {0, 1}  with  transition  sets:  =  {x\x  <  a,}  and 

j[ll  =  {x\x  >  bi},i  =  1,2  (the  notation  Jmn  actually  means  that  d(rn,Jmn)  = 

n). 

Take  =  0, 1,  Wi(m)  =  u^irn)  =  m,  and  Vi  =  V2  =  0, 1. 

Suppose  Vj  =  {V01}  =  {{1}}  (if  the  system  was  in  state  0  and  receives  an 
input  1  then  it  will  switch  to  state  1).  The  equivalent  system  for  a  network 
composed  of  these  two  systems  is  presented  as: 

M  =  {0, 1}  x  {0, 1}  =  {(0, 0),  (0, 1),  (1, 0),  (1, 1)} 

Q  =  Ql  x  n2  =  {(0, 0),  (0, 1),  (1, 0),  (1, 1)} 

f  =  [/l,/2]T 
w  :  M  -»  f?,w(m)  =  m 


j={4\)xJio  iU(1) 


t(2)  t(1) 

"'10  ’"To 


J01  *  "'01  ’  "'01 

xc(42)-),4i 

(2) 


r(D- 


xr(2)  rW 
A  "To  ’  •'c 


0!  XC(J0 


(1)xC(f-),C(41)-)x|) 


01  xC{J1 


)’"^10  A  "'01 
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o  7- -01  ,Wr)x«,CW  r)x 

jft'CU1'-)  x  4l]} 

Denote  by  Ji, . . . ,  J12  the  elements  of  J7”,  then:  d(( 0, 0),  Ji)  =  d(( 0, 0),  J2)  = 
d((0,0),  J3)  =  (1,1),  d((l,0),J4)  =  (0,0),  d((l,0),  J5)  =  d((l,0),J6)  =  (1,1), 

d((0, 1),  J7)  =  (0,0),  d((0,l),J8)  =  d((0, 1),  J9)  =  (1,1),  d((l,l),  J10)  =  (1,0), 

d((l,  1),  Jn)  =  (0, 1),  and  d((l,  1),  J12)  =  (0, 0). 


This  example  illustrates  the  equivalence  between  a  control  network  of  two 
extended  Witsenhausen  systems  and  a  Witsenhausen  system. 


5  A  Simple  HVAC  Application 

In  this  section  we  present  a  very  simple  temperature  control  problem  to  illustrate 
the  extended  Witsenhausen  model  and  the  equivalent  model  of  a  control  network. 
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Fig.  5.  Plan  of  a  building. 


In  figure  5  we  show  a  plan  of  a  building  with  9  rooms,  2  ventilation  fans 
and  3  temperature  sensors.  We  will  consider  that  the  sensors  and  the  fans  are 
connected  by  a  network  so  that  they  can  exchange  information,  and  that  there 
is  no  central  controller  involved. 

We  want  to  model  this  system  so  that  we  can  simulate  its  behavior  for  dif¬ 
ferent  control  strategy  for  the  fans. 

The  fans  can  have  only  two  states:  on  and  off.  We  denote  by  mi  the  state  of 
the  first  fan  (mi  =  0  if  the  first  fan  is  off  and  mi  =  1  is  the  first  fan  is  on),  and 
by  m2  the  state  of  the  second  fan.  If  a  fan  is  on,  the  adjacent  rooms  are  heated 
with  a  rate  r,  and  the  third  room  is  heated  with  a  rate  r/ 2. 

We  will  assume  very  simple  equations  for  the  temperature  in  the  rooms  ( u 
represents  the  temperature): 

-  room  1:  u j  =  —U\  +  rmi  +  O.orm2 

-  room  2:  u'2  =  —u^  +  rmi  +  m2 

-  room  3:  u'3  =  —  U3  +  0.5rmi  +  m2 

The  sensors  will  send  a  signal  if  the  temperature  in  that  room  is  above  an 
upper  limit  Tmax  or  below  a  lower  limit  Tmin-  We  notice  that  we  don’t  need  to 
model  the  fans  because  their  influence  is  implicit  in  the  temperature  equations 
for  the  rooms.  We  will  consider  the  following  control  strategy: 

-  if  the  temperature  in  room  1  is  above  Tmax  switch  fan  1  off. 

-  if  the  temperature  in  room  1  is  below  Tmin  switch  fan  1  on. 

-  if  the  temperature  in  room  3  is  above  Tmax  switch  fan  2  off. 

-  if  the  temperature  in  room  3  is  below  Tmin  switch  fan  2  on. 

-  if  the  temperature  in  room  2  is  above  Tmax  switch  both  the  fans  off. 

-  if  the  temperature  in  room  2  is  below  Tmin  switch  both  the  fans  on. 
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Each  room  can  be  modeled  as  an  extended  Witsenhausen  model  with  four 
discrete  states,  each  state  corresponding  to  a  possible  combinations  of  states  for 
the  fans. 


Fig.  6.  Underlying  finite  state  automaton  for  room  1. 


The  equations  corresponding  to  room  1,  for  each  discrete  state  are: 

-  qi  =  0  :  u[  =  -ui  (both  fans  are  off) 

-  qi  =  1  :  u[  =  —tii  +  t  (first  fan  on,  the  second  off) 

-  qi  =  2  :  Ui  =  —tii  +  O.or  (first  fan  off,  the  second  on) 

-  q1  =  S  :  u[  =  —tii  +  1.5r  (both  fans  on) 

The  equations  for  the  other  two  rooms  are  similar. 

Figure  6  presents  the  underlying  finite  state  automaton  for  the  first  room. 
Note  that  transitions  can  occur  either  if  the  temperature  passes  the  limits,  or  if 
a  discrete  input,  v,  is  read  from  the  network.  This  discrete  input  was  generated 
by  another  room  whose  temperature  passed  the  limits.  Below  each  transition 
due  to  the  continuous  state,  the  discrete  output,  o,  is  specified. 

The  control  strategy  for  the  fans  is  coded  in  the  way  the  discrete  inputs/outputs 
axe  defined  in  the  control  network.  We  define  six  messages  that  can  be  exchanged 
between  rooms,  having  the  following  meaning:  v  =  0:  fan  1  is  off,  v  =  1:  fan  1 
is  on,  v  =  2:  fan  2  is  off,  v  =  3:  fan  2  is  on,  v  =  4:  both  fans  are  on  and  v  =  5: 
both  fans  are  off. 

Once  we  have  defined  each  extended  Witsenhausen  system  that  is  connected 
to  the  network,  we  can  form  the  equivalent  Witsenhausen  model  for  the  network. 
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The  continuous  state  will  be  u  =  (ui,  112,113)  £  The  discrete  state  will  be 
q  =  (qi,q2,qz)-  The  transition  sets  are  Cartesian  products  of  the  individual 
transition  sets,  or  their  complements. 

For  instance  the  transition  set  from  state  (0, 0, 0)  to  state  (1, 1, 1)  is: 

(  00 ,  Tmjn]  x  ( [Tmin,oo )  x  (Tmin,  00). 

Using  this  model  we  simulated  the  network  in  Matlab,  and  the  behavior  of 
the  system  for  two  different  fan  control  strategies  is  shown  in  figure  7.  In  the 
simulator  used,  the  transitions  sets  were  not  precomputed,  but  once  the  system 
crossed  one  of  the  limit  temperatures,  the  new  discrete  state  was  established. 

In  figure  7  the  system  is  simulated  for  two  fan  control  strategies:  the  first 
one  is  the  one  described  above,  and  the  second  one  is  very  similar,  with  the  only 
difference  that  when  the  temperature  in  room  2  reaches  one  of  the  limits,  only 
fan  1  is  turned  on  or  off. 

Using  the  equivalence  to  a  Witsenhausen  model,  from  Proposition  1,  a  net¬ 
work  of  systems  is  very  easy  to  simulate.  Otherwise  for  each  network  one  would 
have  to  write  a  specific  simulator. 


Temperature  in  the  rooms,  for  the  first  control  strategy 


Temperature  in  the  rooms,  for  the  second  control  strategy 


Fig.  7.  Temperature  in  the  three  rooms  for  the  two  fan  control  strategies.  We  used 
Tmax  —  1,  Tmin  =  0.4,  T  “  1. 
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6  Conclusions 

The  equivalence  between  a  network  of  extended  Witsenhausen  systems  and  a 
Witsenhausen  system  has  been  proven  in  this  paper.  This  equivalence  offers  us 
a  way  to  analyze  and  design  control  networks.  Once  we  know  certain  properties 
about  Witsenhausen  systems,  we  can  apply  them  directly  to  the  network.  For 
instance,  in  [6],  Branicky  extends  the  Lyapunov  stability  theory  to  switched 
systems,  which  are  similar  to  the  Witsenhausen  systems  discussed  in  this  paper. 
This  extended  theory  can  be  a  way  to  analyze  the  stability  of  the  control  network. 
Also,  in  [1]  Witsenhausen  proves  some  necessary  conditions  for  optimal  control 
of  his  models,  which  can  be  applied  to  the  control  network  to  solve  optimal 
control  problems. 

The  main  assumption  in  our  derivation  was  that  the  control  network  has 
no  communication  delays.  In  a  real  network  this  does  not  happen,  although  for 
control  networks,  which  are  designed  for  high  speed  small  packages,  the  delays 
are  very  small.  A  critical  problem  occurs  when  several  component  systems  change 
their  states  simultaneously.  Then  the  sequence  of  messages  will  come  scattered 
in  time,  requiring  some  kind  of  robustness  for  the  system  that  has  to  process  that 
information.  More  precisely  the  transition  sets  corresponding  to  two  successive 
discrete  sets  should  not  be  arbitrarily  close.  This  problem  is  a  future  research 
topic. 

Additional  future  research  includes  extending  stability  results  to  Witsen¬ 
hausen  systems,  as  well  as  extending  the  limit  cycle  theory  of  nonlinear  systems. 
Also  the  effect  of  the  assumptions  made  about  the  network,  and  ways  to  in¬ 
troduce  perturbation  factors  that  would  model  the  environmental  connection 
between  different  systems  in  the  network  will  be  studied. 


References 

1.  H.  S.  Witsenhausen.  “A  class  of  hybrid-state  continuous  time  dynamic  systems,” 
IEEE  Transactions  on  Automatic  Control ,  11(2):161-167,  vl966. 

2.  R.  S.  Raji.  “Smart  networks  for  control,”  IEEE  Spectrum,  June  1994,  p.  49-55. 

3.  D.  Radford.  “Spread-spectrum  data  leap  through  ac  power  wiring,”  IEEE  Spec¬ 
trum,  November  1996,  p.  48-53. 

4.  G.  Walsh.  “On  race  conditions  for  networked  control  systems,”  in  Proceedings  of 
the  30th  CISS, Princeton,  NJ,  March  1996,  p  411-415. 

5.  K.  Tindell,  A.  Burns  and  A.J.  Wellings.  “Calculating  controller  area  network 
(CAN)  message  response  times,”  Control  Eng.  Practice ,  vol.  3,  no.  8,  p.  1168-1169, 
1995. 

6.  M.  S.  Branicky.  “Studies  in  hybrid  systems:  modeling,  analysis,  and  control,”  Ph.D. 
dissertation,  MIT,  June  1995. 

7.  A.  Back,  J.  Guckenheimer  and  M.  Myers.  “A  dynamical  simulation  facility  for 
hybrid  systems,”  in  Grossman  et  al.  [13],  p.  255-267. 

8.  A.  Nerode  and  W.  Kohn.  “Models  for  hybrid  systems:  Automata,  topologies  sta¬ 
bility.”  In  Grossman  et  al.  [13],  p.  317-356. 


79 


9.  L.  Tavernini.  “Differential  automata  and  their  discrete  simulators.”  in  Nonlinear 
analysis,  Theory,  Methods  and  Applications,  11(6):  665-683,  1987. 

10.  W.  S.  Wong  and  R.  W.  Brockett.  “Systems  with  finite  communication  bandwidth 
constraints  -  Part  I:  State  estimation  problems,”  in  IEEE  Transactions  on  Auto¬ 
matic  Control,  42(9):  1294-1299. 

11.  R.  W.  Brockett.  “Hybrid  models  for  motion  control  systems.”  in  H.L.  Trentelman 
and  J.C.  Willems,  editors,  Essays  in  Control:  Perspectives  in  the  Theory  and  its 
Applications,  p.  29-53,  1993. 

12.  R.  W.  Brockett.  “Dynamical  systems  and  their  associated  automata.”  in  U.Helmke, 
R.  Menniken  and  J.Saurer,  editors,  Systems  and  networks:  Mathematical  theory  and 
applications.  Akademie  Verlag,  Berlin  1994. 

13.  R.  L.  Grossman,  A.  Nerode,  A.  P.  Ravn,  H.  Rischel  editors  Hybrid  systems,  volume 
736  of  Lecture  notes  in  computer  science.  Springer- Verlag,  New  York,  1993. 

14.  U.  Ozgiiner,  H.  Goktas,  H.  Chan.  Automotive  suspension  control  through  a  com¬ 
puter  communication  network.  1st  IEEE  Conference  on  Control  Application,  1992. 

15.  J.  Brauninger,  R.  Emig,  T.  Kiittner  and  A.  Loffle.  Controller  Area  Network  for 
Truck  and  Bus  Application.,  SAE  Transactions,  v  99,  sect  2,  1990,  p  704-714. 


Hybrid  cc  with  Interval  Constraints 


Bjorn  Carlson  *  Vineet  Gupta** 


Abstract.  Hybrid  cc  is  a  constraint  programming  language  suitable  for 
modeling,  controlling  and  simulating  hybrid  systems,  i.e.  systems  with 
continuous  and  discrete  state  changes.  The  language  extends  the  con¬ 
current  constraint  programming  framework  with  default  reasoning  and 
combinators  for  programming  continuous  behavior.  The  most  important 
constraint  systems  used  in  Hybrid  cc  are  nonlinear  equations  and  ordinary 
differential  equations  over  intervals.  We  describe  the  implementation  of 
the  Hybrid  cc  interpreter  and  constraint  solvers,  and  evaluate  the  perfor¬ 
mance  using  some  example  programs. 


1  Introduction 

Hybrid  cc  [GJS97,  GJSB95]  is  a  compositional,  declarative  language,  based  on 
constraint  programming,  which  enables  modeling  and  simulation  of  hybrid  sys¬ 
tems  in  one  framework.  In  Hybrid  cc,  a  hybrid  system  is  specified  by  a  set  of 
constraints  on  its  temporal  behavior.  Each  constraint  describes  an  internal  rela¬ 
tionship  of  the  system,  e.g.  the  heat  loss  of  a  container  as  a  function  of  time,  or 
the  acceleration  as  it  depends  on  mass.  The  constraints  are  based  on  standard 
formalisms  used  in  physics  and  engineering,  such  as  differential  equations  and  al¬ 
gebraic  equations.  Discrete  events  and  state  changes,  such  as  turning  on  a  heater 
when  the  ambient  temperature  drops  too  low,  are  specified  using  the  combina¬ 
tors  of  concurrent  constraint  programming  [Sar93]  and  default  logic  [Rei80j.  The 
formal  operational  semantics  of  Hybrid  cc  is  described  in  [GJS97]. 

This  paper  presents  an  implementation  of  Hybrid  cc.  We  have  chosen  an  in¬ 
terval  constraint  system  for  our  implementation,  since  this  gives  us  the  ability 
to  model  some  uncertainty  in  the  parameters.  The  two  most  important  classes 
of  constraints  used  in  our  implementation  are  (nonlinear)  algebraic  and  ordi¬ 
nary  differential  equations.  Algebraic  constraints  are  solved  by  interval  propa¬ 
gation  using  indexicals,  interval  splitting,  the  Newton- Raphson  method  and  the 
Simplex  algorithm.  Differential  equations  are  integrated  using  a  version  of  the 
fourth-order  Runge-Kutta  method  with  adaptive  stepsize,  modified  for  interval 
variables.  We  use  constraint  propagation  to  solve  the  simultaneous  differential 
equations. 

Interval  constraints  provide  Hybrid  cc  with  the  expressive  power  required  for 
many  modeling  problems  [GSS95] ,  where  inequalities  are  used  to  express  physical 
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constraints  like  bounds  on  force  magnitudes  etc.  In  addition,  many  physical 
systems  are  imprecise  in  nature,  i.e.  we  cannot  construct  a  perfectly  accurate 
model.  The  imprecision  is  captured  by  interval  constraints.  By  using  constraint 
propagation  inside  the  numerical  integrator  we  are  further  able  to  strengthen 
the  precision  of  the  integration  by  adding  redundant  constraints,  which  narrow 
the  divergence  (see  example  in  Section  3)  that  follows  from  imprecise  initial 
conditions. 

Our  implementation  is  based  on  an  interpreter  and  compiler  written  in  C  and 
Yacc.  The  compiler  translates  each  program  into  a  graph  of  expressions,  which 
is  interpreted  combinator  by  combinator.  The  interpreter  keeps  a  constraint 
store  similar  to  the  store  of  traditional  constraint  programming  languages.  The 
memory  is  managed  using  a  conservative  garbage  collector  for  C. 

The  implementation  is  easily  embeddable  in  other  systems.  For  example,  we 
have  integrated  Hybrid  cc  with  Java,  both  as  a  Win32  dynamic  library  with  an 
API  for  compiling  and  running  Hybrid  cc  under  Windows  95  and  Windows  NT, 
and  as  a  remote  procedure  call  interface  for  compiling  and  running  Hybrid  cc 
remotely.  We  have  also  developed  a  modeling  client  in  Java  with  support  for 
visual  Hybrid  cc  programming,  and  graphical  output,  both  as  graph  plots  and 
2.5  D  animations  generated  by  sampling  variables  during  the  execution  of  an 
Hybrid  cc  program. 

The  performance  of  Hybrid  cc  on  interval  constraint  benchmarks  shows  that 
its  interval  propagation  is  comparable  with  the  best  interval  solvers  e.g.  clp(Newton) 
[VMK95].  Clearly,  our  interval  version  of  the  Runge-Kutta  method  is  not  as  fast 
as  standard  libraries  for  integration  over  real-valued  variables.  However,  by  using 
interval  variables  and  constraint  propagation  inside  the  numerical  solver,  we  get 
a  more  flexible  and  robust  system  for  modeling  with  differential  equations. 

The  paper  is  structured  as  follows.  In  Section  2  we  give  a  brief  introduction 
to  Hybrid  cc  and  give  its  operational  semantics.  We  then  give  a  description  of 
the  constraint  solvers  in  Section  3.  Finally  we  conclude  with  a  comparison  with 
related  work  and  an  evaluation  of  the  performance  of  the  interpreter. 

2  Hybrid  cc  -  the  language  and  its  use 

Hybrid  cc  extends  concurrent  constraint  programming  with  defaults,  continuous 
combinators  and  objects.  The  basic  set  of  combinators  in  Hybrid  cc  are  as  follows: 


c 

tell  the  constraint  c 

if  d  then  A 

if  d  holds,  reduce  to  A 

unless  d  then  A 

reduce  to  A  unless  d  holds 

A,  B 

parallel  composition 

new  V  in  A 

V  is  local  to  A 

forall  C(X)  do  A 

do  A[I/X ]  for  each  instance  I  of  class  C 

hence  A 

execute  A  at  every  instant  after  now 

X(Tlt...,Tk) 

execute  X  with  parameters  T\ , . . . ,  7* 

The  constraint  system  we  have  implemented  is  as  follows. 
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Continuous  Constraints.  These  constraints  assert  equalities  and  inequalities  over 
arithmetic  terms.  The  syntax  is  as  follows: 

ContConstr  ::=  Term  RelOp  Term  j  cont(LVariable) 

RelOp  ::=  =  j  >=  |  <= 

Term  ::=  LVarExpr  \  Constant  |  Term  BinOp  Term  |  UnOp(Term) 
|  Term' 

LVarExpr  ::=  LVariable  \  UVariable. LVarExpr 
BinOp  ::=  +  |  —  |  *  |  /  |  * 

UnOp::—  —  \  sin  |  cos  |  log  \  exp  \  prev 

LVariables  are  variable  names  which  start  with  a  lowercase  character  while 
Constants  are  floating  point  numbers.  LVarExprs  are  LVariables  or  property 
expressions  (see  paragraph  below).  The  semantics  of  most  constructs  is  as  ex¬ 
pected.  For  example,  exp{x)  is  the  exponential  function  ex ,  Term'  denotes  the 
derivative  of  Term  with  respect  to  the  implicit  variable  time. 

cont(x)  asserts  that  x  is  continuous.  Thus,  always  cont(x)  asserts  that  x 
is  always  continuous.  The  effect  of  asserting  cont(x)  in  a  point  phase  is  that 
the  value  of  x  in  the  point  phase  is  set  to  the  value  of  x  at  the  end  of  the 
previous  interval  phase.  Note  that  asserting  x'  —  3  automatically  asserts  that  x 
is  continuous,  as  differentiability  implies  continuity. 

Ask  arithmetic  constraints  also  allow  the  Relops  <,  >, !  =. 

Non-arithmetic  Constraints.  These  are  constraints  on  non-arithmetic  variables 
—  these  variables  do  not  change  their  values  continuously.  The  syntax  for  such 
constraints  is  given  by 

DConstr  ::=  UVarExpr  \  UVarExpr  =  DExpr 
UVarExpr  ::=  UVariable  \  UVarExpr. UVarExpr 

DExpr  ::=  UVarExpr  \  String  |  ( VarList)[VarList]HccProg 

|  ( VarList)HccProg  |  UVarExpr(VarList)[VarList\HccProg 

Var List  ::=  UVariable  [  LVariable  \  Var List,  Var List 

A  UVariable  is  a  variable  name  starting  with  an  uppercase  character.  UVarExpr’ s 
are  UVariables  or  property  expressions  (see  below).  HccProg  is  any  Hybrid  cc 
program,  defined  above. 

A  DConstr  given  as  a  UVarExpr  is  a  signal  constraint.  These  constraints 
are  typically  used  to  communicate  to  some  other  statement  of  code  that  a  certain 
state  is  reached  or  a  certain  property  is  true. 

A  String  is  any  string  of  characters  enclosed  within  double  quotes.  These  are 
mostly  used  for  properties  of  objects  —  i.e.  Switch  =  "on". 

The  constraint  X  =  (Vi, ...  ,14)  HccProg  sets  up  a  closure  definition.  It 
defines  X  to  behave  like  AVi  ...A Vk -HccProg  with  the  exception  that  X  can 
only  be  /?-reduced  when  all  k  arguments  are  given.  The  factorial  function  can 
now  be  defined  recursively  as  follows: 

P  =  (n, m, Q){  if  (n  >  0)  then  new  x  in  {Q(n  —  l,x,Q),m  =  x  *  n}, 
if  (n  =  0)  then  m  =  1  } 
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so  the  call  P(n,  x,  P)  computes  x  =  n\.  Closures  are  first  class  objects,  and  can 
be  passed  around  as  data. 

The  constraint  C  =  B(V l  , . . . ,  14)  [Pi, ....  P;]A  sets  up  a  class  definition.  It 
defines  a  class  C,  where  the  constructor  takes  k  arguments,  and  the  properties 
of  C  are  named  P,,  1  <  *  <  l.  Note  that  a  property  Pi  can  point  to  a  closure, 
this  is  how  methods  are  defined.  A  property  is  treated  as  a  variable  inside  A. 
The  functor  B  is  optional,  and  if  used,  it  must  be  constrained  to  a  (base)  class 
from  which  C  inherits  all  the  properties.  The  code  in  A  is  used  for  defining  any 
instance  of  C  (see  below). 

Objects  are  created  using  the  same  syntax  as  for  a  closure  call  C(Name,ti , . . .,tk) 
where  C  will  be  bound  to  a  class  definition.  The  argument  Name  is  mapped  to  a 
property  named  Self.  A  property  x  can  be  referred  inside  the  code  as  x.  but  from 
outside  it  must  be  referred  as  Name.x.  Any  code  in  C  is  run  with  Self  =  Name 
to  initialize  the  object. 

Ask  constraints  for  the  above  have  a  similar  syntax,  except  that  the  Relop  !  = 
is  also  allowed.  Note  that  asks  do  not  make  sense  for  closure  and  class  definitions, 
as  we  do  not  perform  any  unification  on  these.  Thus  asking  A  =  (M)HccProg 
will  always  answer  unknown. 

Computational  model  of  Hybrid  cc.  The  computational  model  is  based  on  reduc¬ 
tions  of  statements.  Let  o  denote  a  variable  store,  i.e.  a  set  of  interval  constraints 
x  E  [a,  6],  string,  atom,  closure  and  class  constraints.  An  Hybrid  cc  system  con¬ 
sists  of  a  store,  a  set  of  Hybrid  cc  statements,  and  some  auxiliary  structures. 

An  Hybrid  cc  system  alternates  between  being  in  a  point  phase  and  in  an 
interval  phase.  The  initial  phase  is  a  point.  Let  A  be  the  initial  statement  to 
be  reduced.  By  the  semantics  of  the  operators,  defined  below,  a  stable  point  is 
eventually  reached  for  A  (we  assume  throughout  that  no  infinite  sequence  of  re¬ 
ductions  occurs),  where  all  constraints  have  been  propagated,  and  all  reductions 
of  statements  in  A  have  been  completed. 

Now,  either  the  stable  store  o  is  inconsistent,  and  the  computation  is  aborted, 
or  it  is  consistent.  In  the  latter  case,  the  computation  enters  the  interval  phase. 
The  statements  to  be  reduced  in  this  phase  consist  of  each  B  that  was  reduced 
by  hence  B  in  the  point  phase,  together  with  the  statement  hence  B  itself  (re¬ 
member  that  hence  B  means  that  B  is  to  be  reduced  continuously  and  forever) . 

Similar  to  the  point  phase,  all  the  statements  in  the  set  described  above  are 
reduced  until  a  stable  point  is  reached.  This  determines  the  set  of  constraints 
that  are  continuously  true  in  the  current  phase,  and  the  set  of  statements  to 
be  reduced  at  the  next  point  phase.  The  length  of  the  interval  phase  is  the 
longest  interval  during  which  the  constraint  set  is  unchanged  —  this  is  ensured 
by  making  sure  that  none  of  the  asked  constraints  changes  status.  For  example, 
consider  the  program 

x  =  0,  hence  {x'  =  1,  if  (x  =  2)  then  y  =  1}  (1) 

In  the  interval  phase  following  x  =  0,  z  evolves  continuously  according  to  x'  =  1, 
through  the  interval  (0, 2)  until  x  =  2  is  about  to  become  true.  At  this  point  the 
set  of  constraints  may  change,  so  the  next  point  phase  is  started. 
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We  first  describe  the  reduction  rules  for  each  operator  of  Hybrid  cc,  and  then 
provide  the  algorithm  for  the  interpreter.  The  following  reduction  rules  apply  in 
either  phase,  r  denotes  a  set  of  Hybrid  cc  program  fragments,  cr  denotes  the  store, 
next  the  set  of  program  fragments  to  be  run  in  the  next  phase,  and  default 
a  set  of  suspended  else  statements.  The  expression  a  h  c  denotes  entailment 
checking. 


Tell  ((T,  c),  cr,  next,  default)  — » (T,  cr  U  {c},  next,  default) 

AeU  _ cr  \~  d _ 

(( r ,  if  d  then  A),  cr,  next,  default)  — »  ((T,  A),  cr,  next,  default) 

TT  .  (( F ,  unless  d  then  A),  a,  next,  default)  — > 

L  ;  (F,  cr,  next,  (default,  unless  d  then  A)) 


Par 

Forall 


{(F,  ( A ,  B)),a,  next,  default)  — y  ((T,  A,  B),  cr,  next,  default) 

_ cr  h  7i , . . .  In  are  instances  of  C _ 

{( F ,  forall  C(X )  do  A),  a,  next,  default)  — y 

((r,  A[Ii/X], . . . ,  A[In/X]),cr,  next,  default) 


New  ((r,  new  X  in  A),  cr,  next,  default)  ->  ((T,  A\Y/X),  a,  next,  default) 

(Y  new) 


U  _ _ *bP=(Vlt...,Vk)A _ 

<(r,  P{tx, .  ■  .,ffc)),cr, next,  default)  — >• 

{(r,  A[ti/Vi, . .  .,tk/Vk]),cr,  next,  default) 

The  rule  for  hence  A  differs  in  point  and  interval  phases. 

Hence  Point  ((T,  hence  A),  a,  next,  default)  — >• 

(r,  a,  (next,  hence  A),  default) 

Hence  Interval  {(F,  hence  A),  a,  next,  default)  — > 

((T,  A),  <7,  (next,  A,  hence  A),  default) 


The  tell  rule  propagates  the  effects  of  the  constraints  using  the  algorithms 
described  in  the  next  section.  The  combinator  forall  also  suspends  such  that 
if  any  further  instance  I  of  C  is  created  in  the  current  phase,  the  combinator 
adds  A[I/X]  to  F.  Similarly,  for  cr  t-  c,  if  c  is  neither  detected  true  or  false  in 
the  current  store,  the  statement  that  contains  c  is  suspended  and  reconsidered 
whenever  any  of  the  variables  in  c  changes  value  (e.g.  is  pruned). 

The  algorithm  for  the  interpreter  is  the  same  in  both  phases,  except  for  the 
integration  at  the  end  of  the  interval  phase.  It  involves  the  following  steps: 


1.  Run  the  reduction  rules  on  the  current  (T,  cr,  next,  default),  till  no  further 
reductions  can  take  place. 

2.  If  cr  is  inconsistent,  return  0. 

3.  If  default  is  empty,  return  1. 
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4.  Remove  one  statement  from  default —  unless  c  then  A.  If  a  h  c,  go  to  step 
3. 

5.  Add  A  to  F.  Run  the  interpreter  on  the  current  state.  If  the  result  is  1  and 
cr\fc,  return  1. 

6.  Undo  the  effects  of  the  previous  step  by  backtracking.  Run  the  interpreter 
on  the  current  state.  If  the  result  is  1  and  a  b  c.  return  1.  Otherwise  return 
0. 

Note  that  the  effect  of  the  last  three  steps  is  that  a  maximal  set  of  defaults 
is  chosen  and  executed  (similar  to  the  maximal  extensions  of  [Rei80]).  This 
is  similar  to  the  causal  loops  in  synchronous  languages  [Hal93,  BB91,  Har87, 
SJG96].  There  can  be  many  different  maximal  sets,  our  interpreter  chooses  any 
one  randomly.  For  example  unless  X  then  Y,  unless  Y  then  X  can  reduce 
to  either  X  or  Y  but  not  both.  If  no  maximal  set  exists,  as  for  the  statement 
unless  X  then  X,  then  the  computation  must  be  aborted. 

A  Hybrid  cc  program  A  is  run  as  follows. 

1.  Run  interpreter  with  T  =  A,  and  empty  a,  next  and  default  in  the  point 
phase.  If  the  result  is  0,  abort. 

2.  Run  the  interpreter  in  the  interval  phase  with  T  =  next,  as  returned  by  the 
point  phase,  a,  next  and  default  are  again  empty.  If  the  result  is  0,  abort. 
Record  all  the  tells,  and  also  the  ask  constraints  that  were  checked  during 
the  phase. 

3.  Integrate  the  arithmetic  constraints  that  were  told  in  the  previous  step, 
until  one  of  the  ask  constraints  changes  status  (i.e.  goes  from  false  to  true 
or  unknown,  etc.).  Go  to  step  1  with  f  =  next. 

Hybrid  cc  also  contains  various  constructs  from  synchronous  programming, 
e.g.  do  A  watching  c,  when  c  do  A,  but  since  their  behavior  can  be  derived 
from  the  behavior  of  the  above  constructs  we  omit  them  here. 


Implementation.  Our  interpreter  implements  essentially  the  above  algorithm, 
with  a  few  changes.  For  example,  the  interpreter  is  not  recursive,  but  uses 
stacks  for  managing  the  backtracking.  The  compiler  of  Hybrid  cc  straightfor¬ 
wardly  translates  each  statement  A  into  an  expression  graph,  where  each  node 
corresponds  to  an  operator  of  the  language.  We  optimize  memory  by  sharing 
code  as  far  as  possible. 

We  omit  a  detailed  description  of  the  implementation,  since  most  of  it  is 
based  on  standard  techniques  for  how  a  concurrent  constraint  language  based 
on  reductions  is  implemented,  e.g.  we  have  borrowed  from  AKL  and  cc(FD) 
[HSD92,  Jan94]  in  how  constraints  and  suspensions  are  treated,  how  memory  is 
managed  (using  a  conservative  garbage  collector  for  C),  and  how  backtracking 
is  implemented  (using  choicepoint  and  trail  stacks). 
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3  The  constraint  solvers 

3.1  Nonlinear  equations 

We  consider  in  the  following  only  constraints  of  the  form  /(x)  =  0,  as  all 
other  constraints  can  be  reduced  to  this  form  by  introducing  slack  variables. 
Interval  pruning  is  used  as  the  basic  means  for  constraint  solving.  We  have 
implemented  four  pruning  operators:  indexicals,  interval  splitting,  the  Newton- 
Raphson  method,  and  the  Simplex  method.  The  pruning  is  hence  stated  as: 
given  /( x)  =  0  and  an  interval  constraint  x  £  [a,b]  for  x,  apply  one  or  more 
operators  to  f(x)  to  compute  a  new  interval  [ai,i>i]  C  [a,  b]  for  x.  If  this  fails, 
the  constraint  is  deemed  inconsistent. 

An  indexical  is  the  fastest  way  to  update  the  interval  for  x  [HSD92,  Car95]. 
Given  f(x,  y)  =  0,  we  try  rewriting  the  constraint  in  an  explicit  form  x  =  g(y), 
for  some  term  g.  Now  x  is  set  to  [a,  b]  D g{ I/y),  where  y  E  I  holds  in  the  current 
store,  and  g  is  evaluated  over  intervals. 

For  example,  consider  x  +  y  —  0,  x  E  [0,3],  and  y  E  [-1,-2],  Then  the 
indexical  x  =  —  y  is  used  to  set  x  to  [1,2]. 

Splitting  of  intervals  is  used  to  narrow  the  interval  for  x  by  splitting  it  re¬ 
cursively.  Given  f(x,  y)  =  0,  a;  E  [a,6],y  £  I,  we  split  [a,  b]  until  the  small¬ 
est  ai  £  [a,b]  is  found  such  that  0  £  /(ai,7).  Hence,  if  0  £  /([a,  ^j^]),  then 
a i  £  [a,g^],  and  otherwise  ai  £  [^^,6].  Similarly,  6i  is  computed,  thus 
x  E  [oi,  &i]. 

For  example,  given  x2  —  1  and  x  £  [—00,00],  it  follows  that  0  £  [— 00,  0], 
but  0  0  [—00,  —100]  say,  so  a\  is  determined  to  be  in  [—100, 0].  Eventually,  ai  is 
determined  to  be  —  1. 

The  third  pruning  method  is  the  Newton-Raphson  method  adapted  to  intervals[AH83, 
VMK95].  As  in  splitting,  the  leftmost  and  rightmost  zeros  for  f(x)  are  computed 
separately.  Let  f'(x)  =  ^jp,  I  =  [a,  b]  such  that  0  £  /(/)  and  0  ^  /'(/)  (this 
guarantees  that  there  is  only  one  zero  in  I,  and  can  be  accomplished  by  split¬ 
ting),  and  let  m;  £  /,-.  Let  Io  =  I,  and  define  7,+i  =  7;  f)(nij  —  pjp)-  Iterate 
until  7,-  =  Ii+\.  It  follows  that  0  £  /( 7,-). 

In  practice,  we  combine  splitting  and  the  Newton-Raphson  method  for  quick 
results,  just  as  in  clp(Newton).  Splitting  is  useful  in  reducing  the  size  of  an  in¬ 
terval,  but  is  inefficient  in  pinning  down  the  roots  exactly.  The  Newton-Raphson 
method  finds  roots  very  quickly,  if  they  are  known  to  lie  in  a  small  interval.  For 
example,  given  x2  =  1  and  x  £  7  =  [—00,  00],  we  split  7  recursively  until  7  is 
split  down  to  [-2,-1].  By  setting  7o  to  7,  and  applying  the  Newton  Raphson 
method,  7,-  =  [—1,  —1]  is  produced.  Similarly,  [1, 1]  is  produced  for  the  rightmost 
zero.  Hence,  the  final  interval  returned  by  the  pruning  operator  is  [—1,1],  Note 
that  this  interval  is  clearly  an  approximation  to  the  set  of  solutions,  since  only 
—  1  and  1  are  solutions  to  the  equation. 

The  Simplex  method  is  used  as  a  global  pruning  method  and  is  applied  only  at 
certain  times  due  to  its  high  cost,  unlike  the  previous  lightweight  methods,  which 
are  applied  incrementally.  It  is  useful  for  detecting  inconsistent  conjunctions  that 
otherwise  lead  to  slow  convergence  of  the  propagator,  a  well-known  problem 
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when  inequalities  are  used.  For  example,  consider  the  conjunction  {x  <  y-e,y  < 
x  —  e},  for  some  small  e  >  0.  This  conjunction  is  inconsistent  but  the  pruning 
algorithm  reduces  the  size  of  the  intervals  by  e  at  each  iteration,  forcing  a  large 
number  of  iterations  before  an  inconsistency  is  detected. 

Given  a  set  of  constraints  C  =  {ci, . . . ,  c*},  we  linearize  them  into  a  set  of 
linear  constraints  L  =  {/i  =  0, . . . ,  h  —  0},  by  replacing  each  nonlinear  term,  e.g. 
xy,  by  a  new  variable  z  uniformly  throughout  the  set  C.  The  detection  of  common 

subexpressions  is  useful  here.  Hence,  each  /,■  is  of  the  form  ao  +  aizH - b  anzn  = 

0,  for  some  constants  aj  and  variables  Zj.  Note  that  C  is  consistent  implies  L  is 
consistent. 

Now,  we  apply  the  Simplex  method  to  L  to  check  whether  L  is  inconsistent, 
using  standard  techniques.  If  successful,  the  Simplex  algorithm  can  be  used  again 
for  pruning  the  original  variables  of  C.  For  each  such  variable  x,  ai  (the  new 
minimum  value  of  x)  is  computed  by  minimizing  x,  and  bi  (the  new  maximum) 
by  maximizing  x. 

By  applying  the  above,  a  conjunction  such  as  x  +  y  =  3, 2x  —  y  =  0  produces 
the  interval  constraints  x  £  [1, 1]  and  y  £  [2,2]  immediately,  whereas  the  other 
operators  produce  no  pruning.  The  conjunction  x  <  y  —  e,y  <  x  —  e  is  shown  to 
be  inconsistent. 

Implementation.  Internally,  each  constraint  c  is  decomposed  into  a  set  of  pairs, 
(x,f),  where  a;  is  a  variable  in  c  and  /  is  either  the  indexical  that  prunes  x, 
derived  as  above,  or  c  itself.  The  latter  is  then  used  for  splitting  and  Newton- 
Raphson.  Each  variable  y  points  to  a  set  of  such  pairs,  such  that  when  y  is 
pruned,  the  variables  dependent  on  y  are  also  pruned.  Prunings  are  propagated 
by  a  variant  of  the  arc-consistency  algorithm  (Figure  1). 

We  use  an  optimization  based  on  the  fact  that  decomposing  a  constraint 
as  above  produces  equivalent  variants,  and  hence  when  one  variant  is  true  the 
others  are  true  too  [Car95].  Hence,  for  each  (x,  f)  that  is  dequeued,  if  /  is  marked 
as  entailed,  the  pair  is  ignored  since  no  more  pruning  is  generated  by  /.  When  a 
pair  {x,  /)  is  enqueued,  the  list  of  variables  of  /  is  checked.  If  all  of  them  (except 
the  slack  variables)  are  bounded  by  an  interval  [a,  a],  /  is  marked  entailed.  All 
pairs  generated  from  the  same  constraint  share  the  entailment  mark,  hence  when 
one  is  marked,  they  are  all  marked. 

Telling  in  a  point  or  interval  phase.  In  a  point  phase,  if  we  constrain  the  vari¬ 
able  x' ,  then  in  addition  to  the  propagation  described  above  we  infer  that  x  is 
continuous,  and  set  its  value  to  the  limiting  value  in  the  previous  interval  phase, 
if  one  exists. 

In  an  interval  phase,  for  an  arithmetic  constraint  t  =  0,  for  which  t'  is  defined, 
the  arithmetic  constraint  t'  =  0  is  also  added  (this  is  done  recursively  while  the 
derivatives  of  all  the  variables  are  defined).  For  example,  if  x  +  y  =  0  is  added, 
then  x'  +  y'  =  0  is  added  too,  if  x1  and  if  are  defined  in  the  current  state. 
This  is  sound,  and  improves  the  propagation  and  entailment  checking  by  adding 
redundant  constraints. 
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int  propagate (queue)  { 
while  (queue  is  not  empty)  { 

(var .constraint)  =  dequeue (queue) ; 
if  constraint  is  marked  entailed  continue; 
if  constraint  is  an  indexical 

interval  =  intersect (var .evallndexical (constraint) ) ; 
else 

interval  =  project (var .constraint) ;  //  using  splitting,  MR 
if  interval  is  empty  return  0; 
if  interval  is  a  strict  subset  of  var  { 
var  =  interval; 

enqueue (var->constraints, queue) ; 
if  all  variables  in  constraint  are  determined 
mark  constraint  entailed; 

> 

} 

return  1 ; 


Fig.  1.  Pseudo-code  for  the  propagator 


3.2  Entailment  checking 

Let  the  current  store  be  a.  In  the  point  phase,  a  constraint  t  =  0  is  entailed  if 
t  evaluates  to  [0,0]  in  <r,  where  each  operator  is  evaluated  over  intervals  rather 
than  points,  and  where  a  variable  x  is  replaced  by  [a,  6],  where  x  £  [a,  6]  belongs 
to  a.  Similar  reasoning  is  applied  to  t  <  0  and  t  <  0.  We  assume  that  each 
arithmetic  constraint  is  normalized  to  one  of  the  forms  above. 

In  the  interval  phase,  iff  =  0  was  true  in  the  previous  point  store,  and  t'  <  0 
holds  in  a,  then  t  <  0  also  holds  in  a.  Similarly,  for  any  positive  natural  number 
n  for  which  is  defined,  if  t^n'>  =  0  and  t ^  <  0  are  true  in  a,  for  all  m  s.t. 
0  <  m  <  n,  t  <  0  is  true  in  a.  The  constraint  t  =  0  is  consequently  true  in  the 
interval  phase  if  t ^  =  0  is  ruled  true  for  all  m  for  which  t(m')  is  defined. 


3.3  Ordinary  differential  equations 

We  use  a  version  of  Runge-Kutta  integration  with  adaptive  step-size  for  integrat¬ 
ing  the  differential  equations  numerically[PTVF92]  (although  it  is  easy  to  add 
other  integration  methods).  The  initial  conditions  of  the  integration  are  given 
by  the  store  from  the  most  recent  point  phase. 

The  pseudo-code  for  the  integrator  is  shown  in  Figure  2,  where  we  give  the 
simpler  fourth-order  Runge-Kutta  with  no  error  checking  to  illustrate  the  inter¬ 
play  between  propagation  and  integration. 

We  have  made  three  changes  to  the  basic  Runge-Kutta  algorithm.  First,  we 
use  interval  arithmetic  throughout.  This  makes  the  system  more  flexible  since 
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integrate (diff_eqs,check_list)  { 

let  h  be  the  initial  step  size  (0.1); 
let  V  be  the  dependent  variables  of  diff_eqs; 
set  the  initial  values  of  V  by  the  store  from  the  point  phase; 
propagate; 
next: 

integrate  V; 

if  a  constraint  in  check.list  is  overshot,  backtrack  and  shrink  h; 
if  a  constraint  in  check_list  changes  state,  stop; 
go  to  next ; 

> 

integrate  V  {  //  4th  order  Runge-Kutta  with  no  error-control 
compute  kl  from  current  x’  (for  each  x  in  V) ; 
for  i  in  [2,4]  { 

initialize  a  new  store; 

update  x  (for  each  x  in  V)  to  compute  ki; 
propagate; 

compute  ki  for  current  x’  (for  each  x  in  V) ; 

> 

set  new  x  =  old  x  +  l/6*kl  +  l/3*k2  +  l/3*k3  +  l/6*k4; 
propagate;  //to  get  values  of  variables  after  time-step 


Fig.  2.  Overview  of  the  integration  procedure 


we  do  not  require  specific  initial  conditions,  e.g.  a  variable  x  can  be  constrained 
to  [0, 100]  at  the  start  of  the  integration.  However,  the  interval  arithmetic  also 
introduces  a  divergence  problem.  For  some  examples,  the  solution  interval  for  a 
variable  x  grows  in  size  as  the  integration  proceeds,  i.e.  we  lose  precision.  We 
are  exploring  methods  for  improving  this  automatically,  but  meanwhile  we  rely 
on  using  redundant  constraints  to  contain  the  divergence  (see  example  below) . 

Second,  each  step  in  the  integration  includes  propagation  (but  with  no  use 
of  the  Simplex  algorithm),  so  that  we  can  solve  simultaneous  equations  of  an 
arbitrary  form.  In  the  standard  Runge-Kutta  procedure,  xn+1  is  computed  from 
xn  (its  previous  value)  by  considering  the  explicit  equation  x'  =  f(x)  and  com¬ 
puting  xn+i  by:  xn+\  =  xn  +  Sf=1aki,  and  ki  is  defined  as:  k\  =  hf(xn),ki  = 

hf(xn  +  buki  -) - hij(i-i)^i-i),  1  <  i  <  6,  where  6,y  and  c,-  are  constants  given 

by  the  Runge-Kutta  formulas,  and  h  is  the  time  step. 

In  Hybrid  cc  we  do  not  necessarily  have  the  equation  x'  =  f(x),  but  rather  one 
or  several  equations  on  x' ,  e.g.  (x1)2  =  x.  We  thus  compute  k{  by  first  setting  each 

dependent  variable  (z  for  which  x'  is  constrained)  to  xn-\-bnki-{ - 

where  xn  is  the  previous  interval  for  x,  and  then  propagating,  in  an  initially 
empty  store  cr,-,  the  consequences  of  the  differential  equations.  At  quiescence,  ki 
is  set  to  [hat,  hbi ],  where  x'  is  constrained  to  [a,-,  6,-]  in  a Afterwards,  each  cr,  is 
discarded. 


90 


Example  1.  The  following  system  of  equations  describes  the  tank  temperature (t) 
and  concentration  of  a  substance  a  ( ca )  in  a  tank  being  stirred  (the  other  pa¬ 
rameters  are  constants)  [Kay96]. 

c'a  =  -  k0e-Ef*ea 

k0 e-Et*Ca 

This  system  is  highly  nonlinear  due  to  the  exponential  containing  t .  It  diverges 
very  quickly  given  an  initial  state  such  as  0.933  <  ca  <  0.934, 353.358  <  t  < 
353.36  —  after  some  steps  t  and  ca  both  become  [0,  oo).  Adding  the  constraints 
ca  >  0.8445  and  t'  <  0  to  the  set  of  differential  equations  keeps  the  intervals 
for  ca  and  t  considerably  narrower  (the  width  being  of  the  order  10~2).  These 
constraints  can  be  obtained  automatically  by  using  qualitative  methods  [Kay96]. 

Third,  the  integration  is  made  to  interrupt  exactly  at  the  time  instant  when 
some  constraint  in  a  given  list  of  constraints  to  be  checked  changes  its  state. 
This  is  necessary  to  make  the  results  of  the  implementation  be  independent  of 
the  step-size,  modulo  numerical  errors.  Thus  in  the  program  1,  x  =  2  is  false 
while  x  £  (0,2),  but  when  the  integrator  reaches  x  =  2  we  must  switch  to  the 
point  phase.  The  point  when  the  integrator  stops  is  called  the  breakpoint. 

The  standard  Runge-Kutta  procedure  however  does  not  know  about  the 
breakpoints,  so  it  may  overshoot,  e.g.  in  the  program  above,  go  from  x  —  1.9  to 
x  —  2.3  in  one  step,  depending  upon  the  current  integration  stepsize.  Hence,  we 
must  force  the  integrator  to  consider  every  “important”  point. 

We  detect  overshooting  by  recording,  for  each  given  constraint  to  be  checked, 
whether  it  is  initially  true  or  false  or  neither.  For  each  integration  step,  we  check 
whether  the  status  of  any  constraint  changes,  e.g.  goes  from  true  to  false.  When 
we  detect  overshooting,  we  backtrack,  i.e.  we  undo  the  most  recent  integration 
step,  and  try  a  smaller  step  size  to  find  the  point  when  the  break  should  happen 
exactly,  e.g.  in  the  program  above,  force  the  integrator  to  reach  x  =  2.  Currently, 
we  use  a  simple  linear  interpolation  technique  for  computing  the  smaller  step 
size,  though  more  sophisticated  techniques  are  possible. 

4  Examples  and  Evaluation 

We  now  give  an  idea  of  the  performance  of  Hybrid  cc  on  some  representative 
benchmarks  picked  from  [vHLB97],  We  show  the  runtimes  of  Hybrid  cc  computing 
all  the  solutions  to  each  problem  on  a  SPARCstation  20  system.  For  example, 
the  Broyden  Banded  functions  are  computed  by  the  following  constraints: 

ft(x  1, .  ..,xn)  =  Xi( 2  +  5xf)  +  1  -  EjeJixj(l  +  Xj)  (1  <  i  <  n ) 

where  J,-  =  {j  \  j  ^  i&max(l,  i  —  5)  <  j  <  min(n,  i  +  1)},  which  for  n  =  3  is 
written  in  Hybrid  cc  as: 
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0  =  xl  * 
0  =  x2  * 
0  =  x3  * 
-1  <=  xl 


(2  +  5*xl~2) 
(2  +  5*x2~2) 
(2  +  5*x3"2) 
xl  <=  1,  -1 


+  1  -  x2*(x2+l) , 

+  1  -  xl*(xi+l)  -  x3*(x3+i) , 

+  1  -  xl*(xl+i)  -  x2*(x2+i) , 

<=  x2 ,  x2  <=  1,  -1  <=  x3,  x3  <=  1 


For  these  problems,  the  constraint  solver  of  Hybrid  cc  finds  the  unique  solution 
to  within  10-6. 

The  other  examples  we  have  considered  are  the  More-Cosnard  nonlinear  in¬ 
tegral  equations,  an  interval  arithmetic  problem  (i4),  and  a  combustion  problem 
[vHLB97].  We  give  the  runtimes  for  some  different  n  in  the  case  of  the  Broyden 
Banded,  and  the  More-Cosnard  equations. 


Example 

run-time  (sec) 

Example 

run-time  (sec) 

Broyden  10 

0.13 

More-Cosnard  40 

39.8 

Broyden  40 

0.6 

More-Cosnard  80 

436 

Broyden  160 

2.6 

interval  4 

21.2 

More-Cosnard  10 

0.4 

combustion 

6.2 

These  numbers  compare  with  the  numbers  published  for  clp(Newton)  as  fol¬ 
lows.  In  the  Broyden  and  More-Cosnard,  Hybrid  cc  is  between  3  and  5  times 
as  fast,  taking  the  difference  between  the  hardware  used  into  account.  For  the 
interval-4  example,  Hybrid  cc  is  twice  as  fast  as  clp(Newton),  and  for  the  com¬ 
bustion  example  50%  slower. 

We  present  a  longer  example  illustrating  the  use  of  Hybrid  cc  in  modeling  a 
hybrid  system.  The  scenario  modeled  is  a  pool  table  with  several  balls  rolling 
on  it  with  various  initial  velocities.  The  balls  keep  rolling  in  a  straight  line  until 
they  hit  another  ball  or  the  edge  of  the  table  or  fall  into  a  pocket,  or  come  to 
rest  due  to  friction. 

The  class  Ball  defines  a  ball  with  initial  parameters  giving  its  position  and 
velocity.  Its  properties  are  its  position  and  velocity,  and  some  signals  to  notify 
changes  in  its  velocities  etc.  The  initial  velocity  and  position  is  set  up.  The 
direction  of  motion  of  the  ball  is  also  computed  as  cos2  9,  where  9  is  the  direction 
of  motion  of  the  ball.  The  ball  is  active  until  it  falls  into  a  pocket,  indicated  by 
trap  Pocketed  in  ...  —  at  that  moment  all  program  fragments  associated 
with  the  ball  are  terminated.  While  the  ball  is  rolling,  its  velocity  decreases 
according  to  friction.  If  ChangeX  or  ChangeY  become  true,  then  the  program 
issuing  the  Change  signal  computes  the  new  velocity,  lcont(x)  asserts  that  the 
variable  x  is  left  continuous,  and  rcont(x)  asserts  that  the  variable  x  is  right 
continuous. 

The  closures  Edge  and  Collisions  keep  checking  if  the  balls  collide  with  the 
edge  of  the  table  or  with  each  other.  In  each  case  a  new  velocity  is  computed  for 
the  ball(s)  involved,  according  to  the  standard  laws  of  kinematics.  The  closure 
Pocketed  checks  if  any  ball  has  fallen  into  a  pocket,  and  issues  the  appropriate 
signal  to  terminate  the  ball’s  existence. 


Ball  =  (initpx,  initpy,  initvx,  initvy) 

[px,  py,  vx,  vy,  ChangeX,  ChangeY,  Pocketed]  { 
px  =  initpx,  py  =  initpy, 
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vx  =  initvx,  vy  =  initvy, 
new  direction  in  { 

direction  =  vx"2/(vx“2  +  vy“2) , 
do  always  { 

cont (px) ,  cont (py ) , 
lcont(vx),  lcont(vy), 

if  (ChangeX  ||  ChangeY)  then  direction  =  vx“2/(vx“2  +  vy‘2), 
unless  (ChangeX  I  I  ChangeY)  then  direction’  =  0, 
px’  =  vx,  py’  =  vy, 
unless  ChangeX  then  { 
cont(vx) , 

if  (vx  <  0)  then  vx’  =  fric  *  direction“0.5, 

if  (vx  >  0)  then  vx’  =  -fric  *  direction“0.5, 

if  (vx  =0)  then  vx’  =  0 

>, 

unless  ChangeY  then  { 
cont(vy) , 

if  (vy  <  0)  then  vy’  =  fric  *  (1  -  direction) “0 . 5 , 

if  (vy  >  0)  then  vy’  =  -fric  *  (1  -  direction) “0.5, 

if  (vy  =  0)  then  vy’  =  0 

> 

>  watching  Pocketed 

> 

>, 

Edges  =  (H 

always  forall  Ball(X)  do  { 

if  (X.px  =  radius  II  X.px  =  xMax  -  radius)  then  { 
XEdgeCollision, 

X. ChangeX,  X.vx  =  -prev(X.vx) 

>, 

if  (X.py  =  radius  II  X.py  =  yMax  -  radius)  then  { 
YEdgeCollision, 

X. ChangeY,  X.vy  =  -prev(X.vy) 

> 

> 

>, 

Collisions  =  (){ 

always  forall  Ball(A)  do  forall  Ball(B)  do 
if  (A  <  B)  then  //not  the  same  ball 

if  ((B.px  -  A.px)“2  +  (B.py  -  A.py)"2  =  4*radius“2)  then  { 
Collision, 

if  (A.px  =  B.px)  then  { 

A. ChangeY,  B. ChangeY, 

A.vy  =  prev(B.vy), 

B.vy  =  prev(A.vy) 
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if  (A.px  <  B.px)  then  { 

A.ChangeX,  B.ChangeX, 

A.ChangeY,  B. Change Y, 
new  c  in  new  ix  in  { 

c  :=  (A.py  -  B.py)/(A.px  -  B.px), 

ix  :=  (prev(B.vx  -  A.vx)  +  c*prev(B.vy  -  A.vy))/(l+c*2), 
B.vx  =  prev(B.vx)  -  ix, 

B.vy  =  prev(B.vy)  -  c*ix, 

A.vx  +  B.vx  =  prev(A.vx  +  B.vx),  //  X-momentum 
A.vy  +  B.vy  =  prev(A.vy  +  B.vy)  //  Y-momentum 

> 

> 

} 

>, 


Pockets  =  (){ 

always  forall  Ball(X)  do 

if  (prev(X.px)~2  +  prev(X.py)*2  <=  pocket“2 

I |prev(X.px)~2  +  (prev(X.py)-yMax/2)“2  <=  pocket'2 
I |prev(X.px)“2  +  (prev(X.py)-yMax)~2  <=  pocket~2 
I  I (prev(X.px)-xMax)“2  +  prev(X.py)"2  <=  pocket~2 
I  I (prev(X.px)-xMax)~2  +  (prev(X.py)-yMax/2)*2  <=  pocket~2 
I  I (prev(X.px)-xMax)“2  +  (prev(X.py)-yMax)~2  <=  pocket“2) 
then 

X. Pocketed 

>, 

always  {  radius  =  3,  xMax  =  150,  yMax  =  300,  pocket  =  7,  fric  =  1>, 
Ball(Bl,  10,  10,  25,  25), 

Ball(B2,  20,  11,  -35,  55), 

Ball(B3,  80,  51,  -15,  49), 

Edges () , 

CollisionsO , 

Pockets () 


The  last  few  lines  set  up  the  initial  configuration.  We  ran  this  program  for 
74  simulated  time  units,  after  which  all  the  balls  were  either  at  rest  or  pocketed 
—  the  total  time  of  execution  was  0.77  seconds  on  an  UltraSparc  2. 


5  Related  work 

The  SHIFT  programming  language  developed  at  UC  Berkeley  [DGS96,  SDG96] 
is  also  intended  for  simulation  of  hybrid  systems.  Programs  in  SHIFT  are  syn¬ 
chronous  concurrent  collections  of  hybrid  automata  [ACH+  95].  Computations 
proceed  in  alternating  point  and  interval  phases,  as  in  Hybrid  cc.  SHIFT  has 
an  object-oriented  framework  for  constructing  models,  and  also  has  constructs 
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with  side-effects  which  are  useful  in  writing  state-machines.  However  it  is  not 
a  declarative  language  —  the  transitions  and  states  have  to  be  explicitly  pro¬ 
grammed.  The  interaction  of  concurrency  and  side-effects  also  causes  semantic 
problems  in  maintaining  determinism.  In  the  current  implementation  of  SHIFT, 
only  fixed  step-size  Runge-Kutta  integration  is  supported,  and  breakpoints  can 
occur  only  at  the  end  of  a  step. 

Differential  equations  with  intervals  are  an  active  field  of  research,  we  will  not 
attempt  to  provide  a  survey  here.  Most  of  the  research  is  concerned  with  using 
intervals  to  provide  validated  solutions  to  differential  equations,  i.e.  a  statement 
of  the  form  that  the  solution  must  lie  in  a  certain  interval.  For  a  starting  point 
into  the  field,  see  the  tutorial  by  George  Corliss  [Cor95]. 

The  field  of  interval  reasoning  is  even  larger.  Several  systems  for  interval  con¬ 
straint  solving  have  been  built,  one  of  the  recent  ones  is  clp(Newton)  [VMK95, 
vHLB97],  which  uses  similar  propagation  methods,  but  also  exploits  multiple  rep¬ 
resentations  of  constraints.  This  naturally  leads  to  better  pruning  of  the  intervals 
in  many  problems.  However  the  above  comparison  shows  that  in  many  problem 
instances,  the  performance  of  our  system  is  comparable  to  that  of  clp(Newton). 

6  Conclusion  and  Future  Work 

We  have  presented  an  implementation  of  a  programming  language  for  hybrid 
systems,  Hybrid  cc.  The  key  feature  of  the  language,  which  is  reflected  in  the 
implementation,  is  that  it  is  constraint-based,  using  interval  constraints.  The 
interval  constraints  are  necessary  to  make  Hybrid  cc  applicable  to  many  model¬ 
ing  problems,  and  the  interval  propagation  used  inside  the  numerical  solver  for 
differential  equations  improves  the  accuracy  of  the  integration. 

Hybrid  cc  will  be  used  to  construct  real-life  models  for  engineering  and  ed¬ 
ucational  purposes.  We  have  already  started  some  work  in  this  direction,  and 
plan  to  use  Hybrid  cc  for  simulation  of  rovers  and  spacecraft. 
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Abstract.  In  this  paper  we  discuss  the  problem  of  calculating  the  reach¬ 
able  states  of  a  dynamical  system  defined  by  ordinary  differential  equa¬ 
tions  or  inclusions.  We  present  a  prototype  system  for  approximating 
this  set  and  demonstrate  some  experimental  results. 


1  Introduction 

One  of  the  main  activities  in  verifying  a  discrete  system  consists  in  finding  the 
set  of  system  states  which  are  reachable,  via  the  transition  relation,  from  a  given 
initial  set  of  states  (control  synthesis  for  discrete-event  systems  [RW89]  can  ul¬ 
timately  be  reduced  to  some  variant  of  reachability  analysis  [AMP95-b]).  For 
small  finite-state  systems  this  is  done  using  simple  graph  algorithms  which  ma¬ 
nipulate  set-theoretical  representations  of  the  reachable  sets.  For  systems  which 
are  very  large,  or  even  infinite,  symbolic  methods  are  used,  that  is,  the  set  of 
states  reachable  after  k  steps  of  the  system  is  represented  by  some  formula  rather 
than  being  enumerated  explicitly. 

Some  of  this  technology  has  been  exported  to  certain  classes  of  hybrid  systems 
which  deserve  to  be  termed  piecewise-trivial  dynamical  systems.  These  systems, 
such  as  timed  automata  [AD94]  or  PCD  systems1  [ACH+95],  [AMP95-a]  exhibit 
a  trivial  dynamics  in  the  continuous  phase,  and  all  their  complexity  is  due  to 
the  interaction  between  this  dynamics  and  the  discrete  transitions.  For  such 
systems,  given  some  initial  polyhedral  subset  of  the  state-space,  the  sets  of  all 
its  successors  via  the  continuous  dynamics  can  be  calculated  by  straightforward 
linear  algebraic  calculation.  Even  with  this  simplicity,  the  reachability  problem 
for  such  systems  is  undecidable  or  even  worse  ([HKPV95],  [AM95]).  A  practical 
conclusion  from  the  experience  with  this  class  of  systems  is  not  to  look  for  fully- 
automatic  decision  procedures  but  rather  for  more  modest  goals  while  trying  to 
analyze  continuous  systems. 

In  this  paper  we  discuss  the  problem  of  extending  the  methodology  of  cal¬ 
culating  reachable  sets  to  systems  with  non-trivial  continuous  dynamics  and 
no  discrete  dynamics  at  all,2  namely  systems  defined  by  ordinary  differential 

*  This  research  was  supported  in  part  by  the  European  Community  project  HYBRID 
EC-US-043.  Verimag  is  a  joint  laboratory  of  cnrs  and  ujf. 

1  Dynamical  systems  with  piecewise-constant  derivatives;  The  term  Linear  Hybrid  Au¬ 
tomata  used  in  [ACH+95]  is  unfortunate  and  causes  confusion  with  linear  systems. 

2  Discrete  transitions  can  later  be  incorporated  naturally  into  the  continuous  tech¬ 
niques,  if  and  when  such  techniques  are  established. 
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equations.  We  formulate  the  problem  and  describe  a  technique,  suggested  by  M. 
Greenstreet  [G96],  for  over-approximating  reachable  sets.  We  then  introduce  a 
variation  on  this  technique  which  can  be  applied  more  easily  to  more  than  two 
dimensions.  Finally  we  show  the  results  obtained  by  an  experimental  implemen¬ 
tation  of  the  algorithm  for  both  linear  and  non-linear  systems. 

2  Statement  of  the  Problem 

2.1  Deterministic  Systems 

Definition  1  [Dynamical  System.  ]  A  differential  dynamical  system  is  S  = 
(X,f)  where  X  =  lRn  is  the  Euclidean  space  and  f  :  X  -*  X  is  a  continu¬ 
ous  function  (vector  field).  A  behavior  of  S  starting  from  a  point  xq  €  X  is  a 
trajectory  £  :  1R+  — >  X  satisfying  £[0]  =  Xo  and  for  every  t, 

d£[t]/dt  =  /(£[*]). 

People  less  pedantic  than  the  average  formal  methodologists  would  simply  say: 

x  =  f(x). 

It  can  also  be  expressed  in  a  somewhat  more  operational  manner: 

£[t]  =  Xo  +  [  f{([r})dT. 

Jo 

The  set  of  states  reachable  by  the  system  from  xo  is  defined  as 

Reach(x0,  /)  =  {£[f]  :  t  >  0}. 

Typically  when  we  want  to  prove  safety  properties  of  such  a  system  we  would 
like  to  show  that  Reach(xo,  f)  0  Q  =  0  for  some  Q  C  X.  Except  for  the  rare 
case  when  Reach(xo,  f)  has  a  closed-form  solution,  such  as  {x$eAt  :  t  6  JR+} 
for  linear  systems,  the  common  way  to  achieve  that  goal  is  to  use  numerical 
integration  to  calculate  an  approximation  of  Reach(xo,  f)  incrementally.  This 
means  starting  from  £[0]  =  xq  and  applying  some  iteration 

£[(n  +  1)4]  =  f[n4]  +  p(£[n4]) 

where  A  is  the  discretization  step  and  g  is  supposed  to  be  a  good  approximation 
of  the  integral. 

According  to  the  strict  standards  of  discrete  verification,  this  approach  is  far 
from  being  satisfactory:  first,  we  compute  £  only  for  a  small  subset  of  time  points, 
and  we  might  miss  a  visit  of  the  system  in  Q  at  some  t,  nA  <  t  <  (n  +  1)4. 
Secondly,  even  for  points  of  the  form  t  =  nA,  we  compute  only  an  approximation 
of  £[t].  And  finally,  the  calculation  is  not  guaranteed  to  terminate  (and  if  it 
terminates,  it  is  not  always  for  a  good  reason).  Termination  of  the  calculation 
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of  Reach(xo,  f)  means  that  the  trajectory  becomes  periodic,3  i.e.  f[t]  =  £[£'] 
for  some  £'  >  t,  which  may  sometimes  happen  numerically  only  because  we 
approximate  the  ideal  mathematical  reals  by  a  finite  subset  of  the  rationals. 
Nevertheless,  generations  of  mathematicians,  pure  and  applied,  assure  us  that 
given  reasonable  f  and  Q,  we  can  find  A  and  g  such  that  we  need  not  worry 
about  the  first  two  problems.  As  for  the  third  one,  we  should  accept  it  as  a  sad 
fact  of  life,  as  do  all  engineers  who  use  simulation  methods. 

To  summarize,  given  a  system  ( X,f ),  an  inital  state  xq  and  a  set  of  bad 
states  Q,  we  have  a  methodoloy,  or  a  semi-algorithm  (modulo  some  numerological 
conditions)  for  verifying  that  from  Xo  you  never  reach  Q: 

Ro  ■■=  {zo}; 

repeat  i  =  1,2 .. . 

Ri  ■.=  Ri-i  U  Next(Ri-i) 

until  (Ri  =  Ri- 1)  V  (Ri  n  Q  ^  0)  V  (The  user  gives  up) 

Here,  Next(Ri)  means  just  integrating  numerically  starting  from  the  last  element 
of  Ri .  Up  to  this  point  this  is  nothing  but  rephrasing,  in  a  somewhat  awkward 
manner,  the  common  practice  of  simulation. 

2.2  Non-deterministic  Systems 

In  many  situations  we  cannot  be  sure  of  the  initial  conditions  nor  of  the  dynamics 
of  the  system.  In  most  cases  we  will  have  an  equation  of  the  form 

x  =  f(x,u). 

where  u  is  some  unobserved  external  disturbance,  about  which  we  know  only 
some  constraints.4  The  behavior  of  the  system  resulting  from  interaction  with 
any  admissible  input  u  can  be  characterized  using  differential  inclusion  [AC84] 
of  the  form 

x  £  F( x), 

where  F  :  X  — >  2X  is  roughly 

U/(x,u). 

U 

This  is  the  continuous  analogue  of  a  non-deterministic  transition  system.  Such  a 
system,  when  started  at  some  initial  state  xo,  usually  produces  dense  bundles  of 
trajectories  (solutions),  which  we  denote  by  L(F,x o).  The  set  of  states  reachable 
from  xo  at  time  t  (which  was  simply  {£[£]  :  t  6  1R+}  in  deterministic  systems)  is 
defined  as 

Reacht(x0,F)  =  (J  £[£]. 

£€L(F,x  o) 


3  Which  is  always  the  case  in  finite-state  systems. 

4  Things  get  even  more  complicated  in  control  synthesis  problems  whose  generic  form 
is  x  =  f(x,  u,  v )  where  u  and  v  are  two  different  types  of  external  inputs. 
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The  set  of  all  states  visited  during  the  interval  [0,  t]  is 

Reach^ ^){xo,  F)  =  [J  ReachT(xo,F) 

r€[0,t] 

and  the  set  of  all  reachable  states  is 

Reach(xo,F)  =  Reach[0tOO](x0,F). 

In  order  to  apply  the  symbolic  verification  methodology  we  would  like  to  have 
a  diverging  sequence  to,  t\ , . . .  of  time  points  and  calculate  a  sequence  7t0,  Ri 
such  that  Rq  =  {zo}  and  for  every  i,  Ri  =  Reach[0:ti](xo,F).  As  in  the  case  of 
numerical  integration  of  a  single  trajectory,  the  calculation  of  Ri+i  will  be  based 
on  /  and  Ri,  and  from  a  computational  viewpoint,  the  main  novel  feature  here 
is  the  calculation  of  differential  successors  of  a  set  of  points  rather  than  that  of  a 
single  point.  This  motivates  us  to  attack  first  a  slightly  more  restricted  version  of 
the  problem:  calculating  the  reachable  states  of  a  deterministic  system  starting 
from  a  set  P  C  X,  namely  to  find 

Reach(P,f)=  Reach(x,  f). 
x€P 

This  problem  already  exhibits  the  major  computational  difficulty  associated  with 
representing  and  simulating  a  set  of  trajectories  (see  figure  1  for  an  illustration 
of  the  above  notions). 


Reach(xo,f )  Reach(xo,F)  Reach(P,  f) 

j  ^ 

Xo  xo  P 

Fig.  1.  Calculating  reachable  states  for:  1)  A  deterministic  system  starting  at  a  point, 
2)  A  non-deterministic  system  starting  at  a  point  and  3)  A  deterministic  system  starting 
at  a  set. 


3  The  Face  Lifting  Approach 

We  assume  from  now  on  that  everything  takes  place  inside  a  bounded  subset  of 
X  in  which  /  is  Lipschitz. 
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3.1  Arbitrary  Polyhedra 

The  first  ingredient  of  any  solution  is  a  formalism  for  representing  subsets  of  X. 
Not  being  computer  algebraists,  we  restrict  ourselves  to  polyhedral  sets.  These 
are  sets  which  can  be  written  as  boolean  combinations  of  linear  inequalities.5 
Polyhedral  sets  come  in  two  major  varieties,  convex  and  non-convex.  Those  of 
the  former  type  can  be  written  as  conjunctions  of  inequalities  (intersections  of 
half-spaces)  and  they  are  uniquely  determined  by  their  sets  of  vertices. 

If  the  initial  set  P  is  convex  and  /  preserves  convexity  (as  in  the  case  of 
linear  systems),  we  are  lucky  because  for  every  t  we  have 

Reacht(conv(xi, . .  .,xn),f)  =  conv(Reacht(xi,  f), . . .  ,Reacht(xn,  /)) 

where  conv  denotes  the  convex  hull.  With  this  property  it  would  have  been 
sufficient  to  simulate  a  finite  number  of  trajectories  starting  at  the  vertices. 
However,  in  the  case  of  arbitrary  differential  systems,  the  approximation  of  a 
non-convex  polyhedron  by  its  convex  hull  is  usually  useless.  Just  consider  what 
such  an  approximation  gives  when  P  contains  a  bifurcation  point. 

The  treatment  of  non-convex  polyhedra  poses  enormous  problems  in  terms 
of  representation,  normal  forms  (which  are  important  to  detect  the  condition 
Ri+ 1  =  Ri),  etc.  In  the  sequel  we  present  a  technique,  due  to  M.  Greenstreet 
[G96] ,  which  we  call  face  lifting.  In  the  abstract  sense,  face  lifting  can  be  applied 
to  systems  in  any  dimension,  but  concretely,  its  practical  application  to  3  or 
more  dimensions  is  not  at  all  evident. 

The  approach  is  based,  first  of  all,  on  the  following  basic  observation  concern¬ 
ing  continuous  trajectories:  if  some  point  y  £  Reacht(x,  f)  —  P  for  an  interior 
point  x  €  P,  then  there  exists  a  point  x'  £  bd(P)  (the  boundary  of  P)  and  t'  <t 
such  that  y  £  Reacht'(x',  /).  In  other  words, 

Reach[0't] (P)  =  P  U  Reach^^{bd{P)). 

Hence,  when  coming  to  calculate  Ri+i  from  Ri  it  is  sufficient  to  look  at  the 
boundary  of  the  latter  (the  union  of  its  faces  in  the  case  of  polyhedral  sets  and, 
in  particular,  its  edges  in  2-dim). 

Consider  a  face  e  of  a  polyhedron  such  that  it  is  included  in  the  set  charac¬ 
terized  by  the  linear  equality  a-  x  =  b.  Let  fe  ( x )  denote  the  outward  component 
of  f(x)  relative  to  e,  that  is,  the  projection  of  f(x)  on  the  normal  to  e,  and  let 
/(e)  denote  its  maximum  over  x  £  N(e),  where  N(e)  is  some  neighborhood  of 
e.  Clearly,  if  /(e)  is  negative,  the  face  does  not  contribute  new  reachable  states 
which  cannot  be  reached  from  other  faces.  Otherwise,  for  every  A,  one  can  find 
an  e  such  that  all  the  points  reachable  from  e  in  time  A  satisfy 

a  ■  x  <  b  +  A  ■  /(e)  +  e. 

Geometrically  speaking,  this  amounts  to  lifting  the  face  e  outward  by  A-  f(e)+s 
(see  figure  2).  (We  omit  some  details  concerning  the  relation  between  A,N(e), 

5  If  you  want  to  impress  non-logicians,  you  can  say  they  axe  possible  models  of  sen¬ 
tences  in  the  first  order  theory  of  ( M,  +,  <)  or  something. 
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£  and  the  Lipschitz  constant  of  /,  which  guarantees  the  desired  property  of 
the  approximation).  This  gives  the  following  procedure  for  over-approximating 
Reach[0,A]  (■ P,f)‘ 

Calculate  /(e)  for  every  face  e  of  P.  Based  on  these  find  the  appropriate  s 
and  push  every  e  whose  /(e)  is  positive  by  A  •  /(e)  +  e  to  obtain  P'. 


Fig.  2.  A  2-dimensional  example  of  the  approach:  a  polyhedron  P  and  a  sample  of  the 
values  of  /  on  its  edges.  Only  edges  ei,  e2  and  e3  have  a  positive  outward  component 
of  /  and  they  are  pushed  into  ei,  e2  and  e'3.  The  vertices  {in, . . . ,  v4}  are  replaced  by 
{ui,...,vi}.. 

By  construction,  we  have  Reach[0,A]  ( P ,  f)  CP'.  It  can  be  shown  that  locally, 
you  can  make  the  difference  between  the  reachable  set  and  its  approximation  as 
small  as  you  like,  by  taking  smaller  A.  Better  approximation  can  be  achieved 
by  cutting  a  face  into  sub-faces  whenever  /  has  a  large  variation  over  the  face. 
However,  there  are  cases  where,  in  the  long  run,  the  method  will  produce  un¬ 
boundedly  large  over-approximations  of  Reach(P,f),  as  shown  in  figure  3. 

We  have  implemented  the  method  for  dimension  2  and  obtained  results  sim¬ 
ilar  to  those  obtained  by  other  means  (see  section  4  for  experimental  results). 
However  the  extension  to  more  than  two  dimensions  is  difficult  as  the  special 
properties  of  the  plane  no  more  hold.  In  ]R2,  an  ordered  set  of  vertices  always 
defines  a  unique  polygon6  and  the  abstract  operation  of  identifying  a  face  can 
be  realized  by  picking  a  pair  of  neighboring  vertices.  Similarly,  the  face  lifting 
operation  can  ultimately  be  realized  by  replacing  vertices  in  a  list. 

This  is  not  true  in  more  than  two  dimensions,  where  even  convex  polyhedra 
can  exhibit  a  complicated  structure  with  degeneracy  which  makes  face  recogni¬ 
tion  very  hard.  Consequently,  we  have  tried  another  approach,  slightly  inspired 
by  the  basic  ideas  underlying  the  numerical  solution  of  PDEs. 


6  In  fact,  if  we  do  not  insist  on  connected  polygons,  it  defines  either  the  polygon  or  its 
complement. 
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Fig.  3.  A  bad  example:  consider  an  axes-parallel  rectangle  and  a  constant  vector  field 
/  with  non-zero  components  in  both  dimensions.  The  reachable  set  lies  between  the 
two  dotted  diagonal  lines,  but  the  method  will  produce  the  whole  upper-left  orthant. 


3.2  Griddy  and  Isothetic  Polyhedra 

Consider  the  sub-class  of  polyhedra  which  can  be  obtained  by  boolean  combi¬ 
nations  of  inequalities  of  the  form  a q  <  c  where  x%  is  a  component  of  x  and 
c  is  an  integer  constant.7  In  other  words,  we  partition  the  space  into  uniform 
hyper-rectangles  and  consider  all  polyhedra  which  can  written  as  unions  of  those 
(see  figure  4-a).  We  call  these  griddy  polyhedra. 

Since  such  polyhedra  are  “finitely  generated”  (in  a  bounded  sub-space)  they 
admit  a  very  simple  representation  using  n-dimensional  0  —  1  matrices.  It  is  also 
easy  to  determine  whether  an  (n  —  l)-dimensional  hypercube  is  indeed  part  of 
the  face  of  the  polyhedron,  and  there  is  a  systematic  simple  way  to  enumerate 
all  the  faces  and  calculate  /,  which  is  now  always  parallel  to  one  of  the  axes  (see 
figure  4-a) .  With  such  a  representation  we  can  apply,  in  principle,  face  lifting  in 
any  dimension. 

Techniques  developed  for  griddy  polyhedra  can  be  adapted  to  the  more 
general  class  of  isothetic  polyhedra,  generated  by  arbitrary  axes-parallel  hyper¬ 
rectangles.  These  can  be  represented  by  a  non-uniform  grid  depending  on  the 
represented  polyhedron.  The  set  of  grid  coordinates  in  any  dimension  consists 
of  all  projections  of  vertices  of  the  polyhedron  (see  figure  4-b)  and  may  change 
during  the  computation.  The  non-uniform  grid  has  two  main  advantages  over 
the  uniform  one: 

1.  Space:  a  griddy  polyhedron  which  can  be  decomposed  into  few  large  rectan¬ 
gles  can  be  represented  more  succinctly.  However,  when  this  method  is  used 
to  represent,  say,  an  approximation  of  a  circle,  the  grid  becomes  very  dense 
and  this  advantage  is  lost. 

7  Of  course,  c  can  belong  to  the  set  of  integer  multiples  of  some  rational  constant  as 
well. 
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Fig.  4.  (a)  A  Griddy  Polygon.  Some  of  the  faces  are  annotated  by  their  corresponding 
outward  directions,  (b)  An  isothetic  polygon  and  its  associated  non-uniform  grid.  Face 
lifting  can  cause  a  refinement  of  the  grid. 


2.  Expressive  power  and  accuracy:  with  a  fixed  grid  we  need  to  push  every  face 
further  to  the  next  integer  value,  which  sometimes  creates  an  unnecessary 
over-approximation,  beyond  what  is  inherent  in  face  lifting  alone  (see  exam¬ 
ple  in  the  next  section).  With  a  variable  grid  we  can  push  faces  as  little  as 
we  want. 

Both  methods  are  not  very  space  efficient  and  we  are  currently  investigating 
a  canonical  and  much  more  succinct  representation  of  these  polyhedra. 

4  Experimental  Results 

We  have  implemented  griddy  face  lifting  in  2  and  3  dimensions  using  the  above- 
mentioned  representation  methods.  For  the  uniform  grid  we  use  simply  an  n- 
dimensional  array.  For  the  non-uniform  grid  we  use  a  linked  list  representation 
which  currently  consumes  much  more  computation  time. 

In  both  methods  we  decompose  every  face  into  elementary  hyper-rectangular 
elements  and  apply  the  basic  operation  of  numerical  optimization  of  f  to  every 
such  element.  This  is,  of  course,  less  efficient  than  a  coarser  decomposition  of 
the  face  into  larger  hyper-rectangles,  an  approach  we  intend  to  implement  in  the 
future.  On  the  other  hand,  this  is  better  in  terms  of  accuracy.  All  the  results 
described  below,  except  for  the  3-dimensional  example,  were  obtained  using  the 
fixed  grid  implementation. 

4.1  Linear  Systems  in  M 2 

In  figure  5  we  demonstrate  the  behavior  of  the  algorithm  on  various  classes  of 
linear  systems  of  the  form  x  =  Ax  (see  [HS74]  for  the  classification).  We  treat 
the  following  cases: 
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Type 

A 

Initial  set 

Center 

( 0.0  -6.0  \ 
\3.0  0.0  J 

[-0.25,0.25]  x  [-0.25,0.25] 

Node 

(- 5.0  0.0\ 

V  0.0 -2.0  J 

[0.2, 0.5]  x  [0.2, 0.4] 

Saddle 

/ -5.0  0.0  \ 

V  0.0  4.0  J 

[0.0, 0.4]  x  [-0.0, 0.4] 

Sink 

/— 2.0  -3.0  \ 

V  3.0  -2.0  ) 

[-0.1, 0.3]  x  [0.1, 0.3] 

Sometimes,  the  use  of  a  fixed  grid  generates  an  over-approximation  which 
covers  all  the  space.  This  is  evident  in  the  case  of  a  center  where  every  edge  will 
have  a  non-zero  outward  component  in  some  dimension.8  Consequently  we  have 
changed  in  these  cases  the  rounding  rule  to  obtain  the  desired  result,  that  is,  we 
push  a  face  to  the  nearest  grid  unit  and  not  necessarily  outward.  The  price  is 
in  not  being  an  over-approximation  anymore.  Using  a  variable  grid  is  another 
way  to  solve  this  problem.  Note  that  optimization  of  a  linear  /  is  much  cheaper 
computationally  in  the  linear  case. 


4.2  Mixing  Tank 

This  example,  taken  from  [SKE97],  is  a  typical  non-linear  equation  encountered 
in  chemical  engineering.  The  variables  aq ,  denote,  respectively,  the  height  and 
the  concentration  of  liquid  in  a  mixing  tank  with  two  inlets  (with  different  rates 
and  concentrations)  and  one  outlet.  The  equation  is 


f  1  —  fll  Cl  2 

i 2  =  ^r(l-a4X2) 

With  our  choice  of  parameters,  (1.322, 1.652)  is  an  equilibrium  state  of  the  sys¬ 
tem.  In  figure  6  the  states  reachable  from  an  initial  set  [1.12  x  1.17]  x  [1.56  x  1.68] 
are  depicted,  and  one  can  see  the  convergence  to  the  equilibrium. 

At  least,  this  case  is  not  generic. 
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Fig.  5.  Reachable  sets  of  linear  systems  of  type:  1)  Center,  2)  Node,  3)  Saddle  and  4) 
Sink.  The  white  rectangles  denote  the  initial  sets. 


4.3  Airplane  Safety 

The  next  example  is  taken  from  [LTS97].  The  state  variables  X\,  X2  represent, 
respectively,  the  velocity  and  the  flight  path  angle.  Their  evolution  is  governed 
by 


Xi  =  - 


apx1 

m 


—  5  sin  x2  +  ^ 


Fig.  6.  Mixing  Tank 


The  problem  is  to  determine  the  safe  subset  of  the  state-space,  i.e.  the  states 
from  which  the  system  does  not  leave  the  envelope  P  defined  as  the  rectangle 
[1 Vmin,Vmax\  x  [@min,  &max}-  This  is  equivalent  to  calculating  the  complement 
of  the  set  of  states  reachable  from  X  -  P  by  the  reverse  system.  The  results, 
depicted  in  figure  7  correspond  to  specific  choices  of  values  for  parameters  and 
for  the  controls  ux  =  =  Tmax  (left)  and  ux  =  0max,u 2  =  Tmin  (right). 

The  results  are  consistent  with  those  obtained  in  [LTS97]. 


Fig.  7.  Airplane  Safety 
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4.4  Linear  Systems  in  JR3 

In  figure  8  one  can  see  the  reachable  set  of  a  3— dimensional  system  with 

/— 2  0  0\ 

1-2  0 

\  0  1-2 ) 

starting  from  the  initial  region  [-0.025,0.025]  x  [-0.1,0.!]  x  [0.05,0.07]. 


Fig.  8.  Reachable  states  (left)  starting  from  an  initial  region  (right)  for  a  3-dimensional 
linear  system. 


5  Relation  to  other  Work 

There  are  various  works  concerning  the  calculation  of  reachable  sets  for  differen¬ 
tial  inclusions.  Many  of  these  works  are  numerical  analytic  in  nature,  concerned 
mostly  with  calculation  of  abstract  error  bounds  and  less  with  the  crucial  ques¬ 
tions  of  data-structures  for  high  dimensional  sets. 

The  problem  of  calculating  Reach(P,  f)  can  be  rephrased  as  a  PDE9 

^  =  -gradfa)  ■  / 

where  ip  :  X  x  ]R+  — >■  {0, 1}  is  defined  as  ip(x,t)  =  1  iff  x  6  Reach[0tj(P,  f  )  and 
in  particular  p{x,0)  =  1  iff  x  €  P.  Sometime  a  “continualized”  version  of  ip  is 


9  We  owe  this  insight  to  P.  Caspi  [C93].  See  also  [TPS98]  for  a  PDE-based  approach. 
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used,  namely  a  function  ip  :  X  x  1 R+  — >  IR  such  that  ip(x.  0)  =  0  exactly  when  x 
is  on  the  boundary  of  P  and  f(x,  0)  >  0  if  x  is  inside  P.  Various  methods  exist 
for  tracking  the  evolution  of  ip,  see,  e.g.  [S96].  So  far  we  have  found  no  special 
computational  nor  didactic  advantage  in  viewing  the  problem  as  a  PDE  instead 
of  a  direct  ODE  formulation,  but  this  might  change  in  the  future. 

In  [PBV96]  an  alternative  approach  was  suggested  based  on  cutting  the  state- 
space  into  cubes,  and  associating  with  every  cube  a  rectangular  differential  in¬ 
clusion  which  is  a  differential  inclusion  of  the  form  c*  <  iq  <  di  for  every  i, 
with  constants  Cj  and  di.  The  reachability  problem  is  decidable  for  this  class 
of  systems  [PV94],  and  the  idea  here  is  to  do  exact  calculations  on  an  approx¬ 
imate  model,  where  the  bounds  on  f  are  calculated  in  a  preprocessing  stage. 
Similar  to  face  lifting,  this  approach  can  guarantee,  by  refining  the  grid,  error 
bounds  only  for  a  finite  time  horizon.  This  approach  has  been  applied  to  several 
examples  in  [HW96]  and  in  [SKE97].  Some  of  the  ideas  underlying  face  lifting 
appear  already  in  [KM91]  where  the  authors  try  to  prove  a  homomorphism  from 
a  transistor-level  differential  model  into  an  automaton.  While  doing  so  they  also 
cut  the  space  into  a  grid  and  try  to  calculate  the  reachability  relation  among 
cubes. 

Finally,  in  [G96],  [GM98],  the  authors  try  to  extend  face  lifting  to  higher 
dimensions  using  another  strategy.  They  restrict  themselves  to  polyhedra  which 
can  be  written  as  intersections  of  cylindrifications  of  two-dimensional  (arbitrary) 
polygons.  This  way  all  the  operations  are  performed  on  the  two-dimensional 
projections  of  the  polyhedron.  There  are  obvious  advantages  and  shortcomings 
of  this  approach  compared  to  the  grid-based  one,  and  only  time  will  tell  their 
relative  performances  in  practice. 
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Abstract:  Reachability  analysis  of  hybrid  system  imposes  restrictions  on 
the  continuous  and  discrete  behavior.  In  this  paper  a  method  is  proposed  to 
approximate  the  reachable  set  of  linear  systems  by  linear  inequalities.  It  allows 
to  use  the  full  continuous  dynamics  of  hybrid  systems  for  reachability  analysis. 
This  method  is  applied  to  an  automotive  control  problem,  which  was  presented 
by  Stauner  et  al.  in  [SMF97], 


1  Introduction 

This  paper  presents  an  approximation  technique  for  reachable  sets  of  hybrid 
systems  and  applies  this  technique  to  a  problem  known  from  literature.  Stauner, 
Muller  and  Fuchs  presented  in  [SMF97]  an  automotive  control  problem  as  real- 
life  benchmark  problem  for  the  analysis  of  embedded  reactive  systems.  They 
verified  some  safety-properties  for  a  system  which  controls  the  height  of  one 
wheel  of  a  car.  They  determined  upper  and  lower  bounds  on  the  height,  they 
showed  that  the  (extended)  controller  does  not  change  the  height  in  bends, 
and  proved  that  two  special  control  locations  can  not  be  attained  at  the  same 
moment.  In  addition  Stauner  et  al.  examined  the  step  response  (in  the  sense  of 
Control  Theory)  of  the  system. 

Verification  of  safety  properties,  which  impose  restrictions  on  the  reachable 
states,  requires  the  use  of  approximation  techniques,  because  the  exact  reach¬ 
able  sets  are  difficult  to  compute  and  difficult  to  handle.  In  general  there  are  two 
possibilities  to  cope  with  this  problem.  First,  one  can  use  an  approximation  of 
the  hybrid  system,  i.e.  specify  a  hybrid  system  with  simpler  continuous  dynam¬ 
ics,  which  includes  the  behavior  of  the  original  system.  Stauner  et  al.  used  an 
approximation  of  nonlinear  hybrid  systems  by  linear  hybrid  systems,  i.e.  systems 
where  the  continuous  behavior  is  governed  by  variables  with  piecewise  constant 
derivatives  [SMF97,  Sta97].  This  method  is  based  on  the  method  presented  in 
[HH95,  HWT96].  The  second  possibility  is  to  approximate  the  reachable  sets, 
but  to  use  (a  slight  approximation  of)  the  full  continuous  dynamics  of  the  orig¬ 
inal  specification.  Puri,  Borkar  and  Varaiya  presented  an  approximation  tech¬ 
nique  for  Lipschitz  differential  inclusions  [PBV95]  using  a  small  perturbation 
of  the  original  system.  These  perturbations  use  variables  with  piecewise  con- 
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stant  derivatives.  The  approximation  technique  presented  in  this  paper  is  of  the 
second  type.  It  uses  bounded  polyhedra,  which  include  the  reachable  sets,  and 
requires  that  the  continuous  behavior  is  governed  by  piecewise  linear  differential 
equations. 

The  following  section  presents  the  HIOA  model  of  Lynch  et  al.  A  short  de¬ 
scription  of  the  automotive  control  problem  is  given  in  the  third  section.  In 
section  4  and  5  some  aspects  of  linear  inequalities  and  linear  systems  are  dis¬ 
cussed,  leading  to  an  approximation  method.  The  last  section  presents  some 
results  for  the  automotive  control  problem. 

2  The  HIOA  model 

We  use  the  model  of  Hybrid  I/O  Automata  (HIOA)  by  Lynch,  Segala,  Vaan- 
drager  and  Weinberg  [LSVW96]  for  the  description  of  systems  which  show  both 
continuous  and  discrete  behavior.  This  model  allows  shared  variables  as  well  as 
shared  actions.  Within  this  model  it  is  possible  to  reason  about  composition 
of  hybrid  systems,  implementation  relations  between  systems  and  it  allows  to 
describe  the  continuous  behavior  of  hybrid  systems  separately  from  the  discrete 
behavior. 

A  hybrid  I/O  automaton  (HIOA)  A  =  ( U,X,Y ,  Zin,Eint,£°'it,0,V,W) 
consists  of: 

-  Three  disjoint  sets  of  input,  internal  and  output  variables  U,X,Y,  respec¬ 
tively.  Let  V  be  the  union  of  these  sets.  V  is  the  set  of  valuations  of  V. 
Valuations  will  also  be  called  states. 

-  Three  disjoint  sets  £in,  £'nt,  £out  of  input,  internal  and  output  actions.  £'n 
contains  e,  a  special  environment  action,  which  models  the  occurrence  of 
input  which  is  unobservable  except  (possibly)  through  its  effect  on  input 
variables.  £  denotes  the  union  of  the  input,  internal  en  output  actions. 

-  A  nonempty  set  ©,  a  subset  of  V,  containing  the  initial  states.  This  set  is 
closed  under  change  of  values  for  input  variables. 

-  A  set  V  C  V  x  £  x  V  of  discrete  transitions.  By  definition  each  input  action 
of  a  HIOA  is  always  enabled.  The  environment  action  only  affects  inputs  and 
the  input  variables  may  change,  when  a  discrete  transition  occurs. 

-  A  set  of  trajectories  W  over  V.  A  trajectory  w  is  a  mapping  from  I  to  states, 
where  I  is  a  left-closed  interval  of  the  time  axis  M-°,  with  left  endpoint  equal 
to  0.  (In  general  it  is  sufficient  to  define  the  time  axis  as  subgroup  of  the 
real  numbers  with  addition.)  W  must  contain  point  trajectories,  it  has  to 
be  closed  under  subintervals  and  if  a  trajectory  w  restricted  to  [0,  t]  is  an 
element  of  W  for  all  t  E  M-°,  then  w  has  to  be  an  element  of  W,  too.  We 
assume  in  this  paper  that  w  is  integrable. 

An  important  concept  of  HIOA  is  that  of  hybrid  executions.  A  hybrid  execution 
fragment  a  is  an  alternating  infinite  or  finite  sequence  of  trajectories  and  actions 

a  =  woaiwi _ If  a  is  a  finite  sequence  then  it  ends  with  a  trajectory.  We  call 

a  a  hybrid  execution,  when  the  first  state  of  a  is  an  element  of  0.  A  state  s  is 
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defined  to  be  reachable  if  there  exists  a  finite  hybrid  execution,  with  last  state 
equal  to  s. 

The  hybrid  trace  of  an  hybrid  execution  records  the  visible  behavior  of  the 
execution.  The  set  of  all  hybrid  traces  describes  the  external  behavior  of  a  HIOA. 
A  HIOA  A  implements  a  HIOA  B,  if  the  traces  of  A  are  a  subset  of  the  traces  of 
B.  A  implements  B  requires  that  A  and  B  are  comparable,  meaning  they  have  the 
same  external  actions  and  the  same  external  variables.  A  simulation  relation  (or 
just  simulation)  is  usually  used  to  prove  that  the  traces  of  HIOA  A  are  a  subset 
of  the  traces  of  a  HIOA  B.  A  simulation  is  a  relation  which  maps  all  states  of  a 
hybrid  execution  a  of  A  to  states  of  some  hybrid  execution  of  B,  such  that  the 
traces  of  these  executions  are  the  same.  For  more  detail  see  [DL97]  or  [HSV94]. 

Complex  hybrid  systems  can  be  modeled  by  composing  HIOAs.  Two  HIOAs 
A  and  B  can  be  composed  if  they  are  compatible,  which  means  they  have  no 
output  actions  or  output  variables  in  common  and  no  internal  variable  of  either 
is  a  variable  of  the  other.  The  composition  of  two  compatible  HIOA  is  itself 
an  HIOA.  The  input  variables  of  the  composition  are  the  union  of  A  and  B’s 
input  variables  minus  the  union  of  their  output  variables.  The  same  holds  for  the 
input  actions.  A  HIOA  is  closed  if  there  are  no  input  actions  or  input  variables. 
Consequently  the  environment  action  has  no  influence  on  closed  systems  and  can 
be  omitted  in  the  specification.  Considering  the  automotive  control  problem,  we 
will  see  in  section  3  that  the  EHC  and  filtered  environment  are  modeled  with 
input  and  output,  but  the  composition  of  these  has  no  input  at  all. 

Hybrid  systems  typically  use  two  types  of  variables:  variables  which  range 
over  finite  (or  at  most  countable)  sets,  and  variables  which  range  over  (a  subset 
of)  M.  The  model  of  Alur  et  al  [ACH+95]  uses  locations  and  data  variables 
for  this  purpose.  We  define  Vb  as  the  set  of  discrete  variables  and  Vc  as  the 
set  variables  ranging  over  reals.  We  can  define  V  as  Vd  U  Vc,  and  the  set  of 
valuations  V  as  Vex  Vc-  We  identify  Vc  with  (a  subset  of)  M".  Let  sn  an  sc 
denote  the  projection  of  the  state  son  Vb  and  Vc  respectively. 

Transitions  are  specified  in  precondition/effect  style  (table  1  and  2).  Pre¬ 
conditions  are  predicates  with  variables  from  V.  If  a  transition  is  enabled  and 
eventually  taken,  the  state  is  changed  according  to  the  specification  of  the  ef¬ 
fect.  If  a  precondition  is  true  or  the  effect  is  defined  by  identity,  it  is  usually 
omitted.  When  a  transition  takes  place,  the  values  of  the  input  variables  may 
change  arbitrarily.  We  call  a  hybrid  system  clocked  with  sampling  time  tsampie, 
if  discrete  transitions  may  only  occur  every  tsarnpie  time  units.  See  for  example 
table  2. 


3  The  System 

This  section  presents  the  hybrid  system  used  for  the  automotive  control  prob¬ 
lem  [SMF97]  in  terms  of  the  HIOA  model  by  Lynch  et  al.  The  model  used  by 
Stauner  et  al.  is  followed  as  close  as  possible.  For  further  technical  details  and  a 
motivation  of  the  specific  choices  within  this  model  see  [SMF97]  or  [Sta97] . 

The  system  consists  of  different  components.  First,  we  have  the  chassis,  whose 
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Fig.  1.  The  EHC  in  its  environment 


height  can  be  changed  by  pneumatic  suspension  with  a  compressor  and  an  escape 
valve.  The  height  is  measured  by  a  low-pass  filter,  which  filters  disturbances  of 
high  frequency,  caused  for  example  by  holes  in  the  road.  The  electronic  height 
control  (EHC)  uses  the  filtered  height  to  decide,  whether  to  use  the  compressor, 
the  escape  valve,  or  to  do  nothing. 

The  chassis  level  is  influenced  by  external  disturbances  and  by  the  escape 
valve  and  compressor.  The  rate  of  change  of  the  height  h  of  the  chassis  is  the 
sum  of  the  changes  due  to  disturbances,  denoted  by  e,  and  the  changes  due 
to  compressor  and  escape  valve,  denoted  by  c.  The  continuous  behavior  of  h  is 
modeled  by  the  linear  differential  equation 

h  =  e  +  c  (1) 

If  the  controller  uses  the  escape  valve,  the  height  h  decreases  with  a  rate  c  in  the 
interval  [eum,n ,  evmax\ ,  while  using  the  compressor  increases  the  height  h  with 
c  £  [ cpmin,cpmax\ .  The  bounds  of  the  disturbances  are  given  by  e  6  [em!-n,  emax]. 
To  ensure  that  the  EHC  is  able  to  avoid  unbounded  increase  or  decrease  of 
height  we  assume  em,-n  =  evmax  and  emax  —  cpmi„ .  Of  course,  one  would  prefer 
more  realistic  and  less  restrictive  assumptions  as  that  the  average  influence  of 
the  environment  has  to  be  smaller  than  the  average  influence  by  the  controller. 
Stauner  et  al.  believed  “(...)  that  the  limits  of  the  expressiveness  of  (linear) 
hybrid  automata  are  reached  with  statements  of  this  kind“  [SMF97,  p.  144]. 

The  filter  keeps  track  of  the  height,  with  the  restriction  that  it  takes  some 
time  until  changes  in  height  are  properly  detected.  This  feature  is  useful,  because 
it  limits  the  influence  of  short  and  small  disturbances.  The  filter  is  modeled  by 

f=f(h~t)  (2) 

Here  the  constant  T  determines  the  time  the  filter  needs  to  adjust  the  filtered 
height  properly.  The  filter  also  has  an  input  action  back  (synchronization  label 
set.f  in  [SMF97]),  which  allows  to  reset  the  filtered  height  to  the  setpoint  sp. 
The  filtered  environment  (table  1)  describes  the  behavior  of  the  height  and  the 
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actions:  continuous  variables: 

init: 

input:  back  input:  c  £  R 

internal:  none  internal:  e,  h  £  M 

h  =  sp 

output:  none  output:  f  £  R 

f  —  sp 

discrete  transitions: 

back:  Effect:  f  :=  sp 

trajectories:  w  is  an  /-trajectory,  if  the  following  holds  for  all  t  £  I: 

S 

•4-k 

II 

4|~ 

1 

ui.h  =  e  +  c 

W.6  £ 

Table  1.  The  filtered  environment 


filtered  height  due  to  input  of  the  EHC  and  disturbances  by  the  environment. 

Initially  the  controller  is  in  control  location  in_tolerance  and  neither  the  escape 
valve  nor  the  compressor  are  used,  thus  c  =  0.  If  the  filtered  height  exceeds  an 
upper  limit  otu,  then  the  controller  enters  control  location  down,  with  effect  that 
the  height  decreases  with  a  rate  c  £  [evmin,  evmax}.  If  the  controller  is  in  location 
down  and  the  filtered  height  gets  smaller  than  a  given  upper  limit  itu,  then  the 
controller  re-enters  control  location  intolerance  and  resets  the  filtered  height  to 
the  setpoint  sp.  Similarly  there  is  a  control  location  up,  which  is  entered  if  the 
filtered  height  /  falls  below  a  lower  limit  otl,  with  effect  c  6  [cpmin ,  cpmax] •  In 
this  case  the  controller  re-enters  intolerance  when  /  exceeds  itl.  To  get  a  realistic 
model  we  assume  otl  <  itl  <  sp  <  itu  <  otu. 

The  controller  uses  different  values  for  otl,  itl,  itu,  otu  depending  on  whether 
the  car  is  driving  or  stopped,  denoted  by  indices  d  and  s.  If  the  controller  leaves 
intolerance  it  makes  a  nondeterministic  choice  between  the  modes  driving  and 
stopped.  The  HIOA  of  the  EHC  (table  2) 2  uses  the  modes  s  for  the  stopped  car 
and  d  for  the  driving  car.  The  model  assumes  additionally  that  transitions  can 
only  be  taken  every  tsampie  seconds. 

In  the  remainder  of  this  paper  matrix  and  vector  multiplication  are  used.  We 
assume  that  all  matrices  and  vectors  have  elements  in  M  and  are  of  a  proper 
size.  The  block  matrix  (^)  will  be  denoted  as  ( A,B ).  AT  and  aT  denotes  the 
transposition  of  the  matrix  A  and  vector  a  respectively.  We  assume  a  norm  ||  •  || 
like  the  Euclidean  norm.  The  maximum,  minimum,  compactness  of  sets  etc.  are 
defined  with  respect  to  this  norm. 

4  Transitions  and  Linear  Inequalities 

The  composition  of  the  EHC  and  the  filtered  environment  has  some  useful  prop¬ 
erties,  which  allow  a  reachability  analysis  of  this  system.  The  system  is  clocked, 
the  enabling  conditions  of  the  transitions  are  defined  by  linear  inequalities  and 

2  The  hybrid  automata  used  in  [SMF97]  uses  on  some  places  strict  equalities  like  >. 
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1  actions  continuous  variables 

discrete  variables 

input:  none  input:  /  €  R 

input:  none 

internal:  stay  internal:  tciock  £  R 

>0 

internal:  mode  £  {d,s} 

output:  to.down ,  output:  c€R 

loc  £  {down,  up, 

to.up, 

intolerance} 

back 

output:  none 

init:  tciock  =  0  A  c  =  0  A  loc  =  intolerance 

discrete  transitions: 

to-down(m) : 

to.up(m) : 

Pre:  A  tciock  =  t sample 

Pre: 

A  tciock  —  t sample 

Aloe  €  {in-tolerance,  up} 

Aloe  €  {intolerance, down} 

A  ( loc  =  up)  — >•  (m  =  mode) 

A  ( loc  =  down)  ->■  (to  =  mode) 

A  f>  Otum 

A  f  <  otlm 

Eff:  loc  :=  down 

Eff: 

loc  up 

tciock  *=  0 

tciock  -=  0 

C  '•  G  [cyjm'ni 

C  \cpmiri)  CPmax\ 

mode  :=  m 

mode  :=  m 

stay: 

back 

Pre:  A  tciock  “  t sample 

Pre: 

A  tciock  =  t sample 

A  V  A  loc  =  in-tolerance 

A  V  A  loc  =  down 

A  V  /  €  [ofZs,otus] 

A  /  G  [ Otlrnodei  itUmode\ 

V  /  €  [ otld ,  otud] 

V  A  loc  =  up 

V  A  loc  =  down 

A  /  G  \}tlmode)  Otllmode\ 

A  /  >  itUmode 

Eff: 

loc  intolerance 

V  A  loc  =  up 

tciock  0 

A  /  <  itlmode 

c  :=  0 

Eff:  tciock  0 

trajectories:  w  is  an  /-trajectory,  if  the  following  holds  for  all  t  €  /: 

IV.  tciock  —  1 

IV.tdock  ^  tsamplc 

If  w.loc  =  intolerance 

then 

w.c  =  0 

If  w.loc  =  up 

then 

IV. C  G  [cprntnj  CPmax\ 

If  w.loc  =  down 

then  w.c  g  [evmin,  evmax]  \ 

Table  2.  The  EHC 


the  assignments  are  linear.  Additionally  the  continuous  behavior  is  governed  by 
piecewise  linear  differential  equations  and  the  initial  set  is  a  bounded  polyhe¬ 
dron.  The  composition  of  the  EHC  with  the  filtered  environment  is  also  closed. 
The  main  components  of  a  hybrid  system  are  the  transitions  and  the  trajecto¬ 
ries,  sometimes  referred  to  as  discrete  transitions  and  continuous  transitions.  In 
this  and  the  next  section  we  discuss  some  features  of  both  (discrete)  transitions 
and  trajectories. 

Many  examples  of  hybrid  systems  use  linear  inequalities  for  the  specification 
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of  transitions  or  to  define  the  set  of  initial  states.  Linear  inequalities  occur  also 
in  approximation  techniques  of  nonlinear  hybrid  systems  [HH95,  PBV95]  and 
are  also  used  to  verify  invariants  hybrid  regular  expressions  [XHT97], 

Given  the  linear  inequality 

aTx  <  b  (3) 

with  x  G  !",  a  G  Mn  and  ii  £  8,  the  set  of  solutions  K  is  a  half-space  of  Mn. 
The  vector  a  is  a  normal  on  the  hyper-plane  which  separates  K  from  Kc,  i.e. 
a  is  orthogonal  to  the  hyper-plane,  and  points  to  the  complement  of  K.  An 
intersection  of  halfspaces  is  called  polyhedron.  Using  the  matrix  product  we  can 
define  a  polyhedron  as  set  of  solutions  K  C  ffi"  of 

Ax  <  b  (4) 

A  is  a  m  x  n  matrix,  with  m  the  number  of  inequalities,  b  G  ffim  is  a  vector  and 
’<’  means  that  each  element  of  Ax  is  less  than  or  equal  to  the  corresponding 
element  of  b. 

We  see  that  the  EHC  and  the  filtered  environment  have  preconditions  and 
effects  of  a  special  structure.  The  atomic  predicates  over  continuous  variables 
are  of  the  form  A  sc  <  b,  with  sc,  b  G  M",  A  G  Mmxn.  Consequently  the  precon¬ 
ditions  of  the  EHC  define  unions  respectively  intersections  of  polyhedra.  Note 
that  no  strict  inequality  like  ’<’  is  allowed,  because  for  computational  reasons 
we  want  that  all  the  polyhedra  are  closed,  i.e.  they  contain  their  boundaries  (see 
footnote  2).  Given  a  HIOA  A  which  uses  strict  inequalities,  we  can  replace  all 
’<’  by  ’<’  and  we  yield  a  HIOA  B  which  is  implemented  by  A. 

Polyhedra  are  convex,  which  means  that  if  X\  and  x2  are  elements  of  a  polyhe¬ 
dron,  the  convex  combination  Axi  +  (1— A)a;2  G  K  is  an  element  of  the  polyhedron 
for  all  A  G  [0, 1].  The  convex  hull  of  set  K,  conv(K),  is  the  smallest  polyhedron 
which  contains  all  convex  combinations  of  points  x\,x2  G  K.  Given  a  finite  set 
{pi, . . .  ,pk }  of  points  in  M",  the  convex  hull  of  this  set  is  a  bounded  polyhedron, 
also  called  a  polytope.  The  vertices  of  this  polytope  will  be  members  of  the  set 
{pi, ...  ,Pk},  though  not  every  point  p,-  needs  to  be  a  vertex. 

In  the  next  section  it  will  be  necessary  to  find  a  maximum  of  a  linear  function 
with  linear  constraints.  This  problem  is  often  referred  to  as  LP-problem  ( Linear 
Programming).  There  are  several  equivalent  forms  for  the  LP-problem,  but  it  is 
usually  defined  as  follows:  Given  c  G  M",  b  G  Km,  A  G  Mmxn  find  the  maximum 

max{cTx  \A*  <  *>}  (5) 

If  K  =  {x\Ax  <  6}  is  a  nonempty  polytope,  it  is  possible  to  calculate  the  vertices 
pi, . . .  ,pk  of  K.  This  leads  to  the  following  lemma: 

Lemma  1.  Let  K  =  conv(pi, . .  .pk)  be  a  polytope  and  suppose  c  :  M-°  — >  M" 
such  that  each  element  Cj  is  analytic.  Then  there  exist  tmax  >  0  and  a  vertex  p 
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Fig.  2.  c(t)  moves  from  e(0)  to  0(^2) 


of  K  which  satisfies 

c(t)T  p  =  maxc(t)T  x  'it  G  [0,  tmax]  (6) 

x£K 

This  lemma  says  that  there  exist  a  vertex  which  is  optimal  at  t  =  0  and  which 
stays  optimal  for  at  least  tmax  time  units.  The  optimum  does  not  have  to  be 
unique,  and  if  two  or  more  vertices  are  optimal  then  all  points  which  are  a  convex 
combination  of  these  points  are  also  optimal.  The  proof  uses  the  fact  that  all 
functions  c(t)Tpi  are  analytic  mappings  from  M  to  ffi.  Among  these  there  has  to 
be  a  function  which  is  greater  than  or  equal  to  the  other  on  an  interval.  More 
information  on  polyhedra  and  solving  the  LP-problem  can  be  found  in  [Sch86] , 
[GMW91]  or  [Fis91]. 

Figure  2  illustrates  lemma  1  for  two  dimensions.  The  maximum  (6)  is  attained 
from  0  up  to  t\  in  vertex  A.  At  time  t\  the  maximum  is  not  unique,  it  is  attained 
in  every  point  on  edge  AB.  Without  the  assumption  c(t)i  analytic,  one  could 
easily  construct  a  function  c(t)  (e.g.  using  sin(l/t)),  such  that  the  maximum  will 
not  be  constantly  attained  in  one  vertex,  for  any  interval  [0,tma:r]- 

Because  polyhedra  are  convex  the  theorems  on  convex  sets,  or  even  stronger 
theorems,  are  holding.  A  nonempty  intersection  of  two  polyhedra  is  a  polyhedron, 
and  a  nonempty  intersection  of  a  polytope  with  a  polyhedron  yields  a  polytope. 
The  image  of  a  linear  function  of  a  (bounded)  polyhedron  is  also  a  (bounded) 
polyhedron. 

The  effect  of  the  transitions  of  the  EHC  is  specified  by  an  assignment  s'D  := 
<t>D ,  where  <i>o  is  a  mapping  from  V q  to  Vp  and  an  assignment  s'c  :=  A  sc  +  b, 
where  A  is  m  x  n  matrix  and  b  €  M".  We  will  also  allow  nondeterministic 
assignments  to  polytopes.  We  already  have  seen  that  the  preconditions  define 
sets  of  polyhedra  and  with  the  foregoing  we  can  conclude  that  the  effect  will 
map  these  to  a  set  of  polyhedra. 
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5  Trajectories  and  Linear  Systems 

In  the  last  section  we  have  seen  that  polyhedra  are  important  in  studying  transi¬ 
tions.  This  section  presents  a  method  which  uses  polyhedra  as  approximation  of 
reachable  sets.  Therefore  we  need  some  theory  on  linear  time  invariant  systems. 
For  a  general  introduction  to  Control  Theory  and  Linear  systems  see  [BG80]  or 
[Bro70]. 

Considering  the  composition  of  EHC  with  the  filtered  environment  we  see 
that  the  behavior  of  the  continuous  variables  is  modeled  in  two  ways.  We  divide 
the  set  of  continuous  variables  Vc  in  two  sets  Z  and  Q.  The  trajectories  of 
the  variables  in  Z  are  continuous  functions  z  :  I  -»  Z,  which  are  defined  by 
differential  equations.  Q  contains  the  variables  that  take  only  values  in  bounded 
subsets  of  M.  Though  Q  is  a  subset  of  Vc,  the  trajectories  of  these  variables  are 
generally  not  continuous, 

We  assume  that  the  continuous  behavior  of  the  variables  in  Z  is  defined  by 
a  linear,  time  invariant  differential  equation  as  follows 

z(t)  =  A  z(t)  +  B  q(t)  (7) 

In  the  remainder  of  this  section  we  will  call  z  (internal)  state  and  q  input,  for 
both  are  defined  analogous  to  states  and  inputs  as  known  in  Control  Theory, 
even  if  the  corresponding  variables  are  not  input  or  internal  variables  of  the 
HIOA.  The  filtered  environment  (table  1)  uses  Z  =  {/,  h}  and  Q  =  {e,  c}. 

The  unique  solution  of  the  differential  equation  (7)  with  initial  state  z(0)  =  zo 
is  given  by  3 


z(t)  =  eAtz0+  [  e^-^B  q(a)d<r  (8) 

Jo 

We  abbreviate  the  right-hand  side  by  tp(zo,t,  q). 

In  Control  Theory  one  often  wants  to  find  a  time  optimal  control  for  the 
system  (7),  assuming  q  :  I  —>■  Q  and  zq  G  Zo,  with  Q  and  Zo  bounded  and 
closed  subsets  of  Mm  and  Mn  respectively.  Let  Reach(Zo,tf,Q)  denote  the  set 
of  states  that  can  be  reached  from  the  initial  set  of  states  Zo  at  time  tf  with 
inputs  in  Q.  Denote  the  boundary  of  a  set  S  by  S(S). 

The  reachable  states  form  a  convex,  bounded  set.  So,  if  we  assume  Zf  G 
6(Reach(Zo,  tf,  Q))  then  there  exists  a  supporting  hyperplane  (tangent  plane) 
that  contains  zj.  Let  cj  be  the  normal  on  this  hyperplane  such  that  cj  z  < 
cj  zq  for  all  reachable  states  z.  However,  if  we  assume  that  the  reachability 
set  is  unknown,  we  can  not  choose  such  a  zq  and  determine  the  normal  Cf.  But 
fortunately  it  is  possible  to  find  for  a  given  cj  and  an  arbitrary  tf ,  an  input  q  and 
an  initial  state  zo  such  that  cj  z  <  cj  <p(zo,tf,q)  for  all  z  G  Reach(Z0,tf,Q). 

Lemma  2.  Suppose  Zo  C  Mn  and  Q  C  Mm  are  compact  and  convex  sets.  Let  Cf 
be  a  vector  in  Mn  and  tf  €  I-  Then  there  exists  a  z0  G  £(Zq)  and  a  mapping 


3  Note  that  eAt  is  a  symbolic  notation  for  the  fundamental  solution  of  i  =  Az 
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Fig.  3.  The  bounds  on  reachable  height  and  filtered  height  after  1,  2  and  3 
seconds  (solid)  and  their  approximations  (dash-dotted).  Initially  /  =  0,  h  =  0 
and  loc  =  intolerance. 


q  :  I  — >■  <5(Q)  with 

T  - 
CO  zo 

cIe~Atq(t) 
cTsz; 

with  zj  =  <p(zo,tj,q),  c0  =  eAT l,Cj  and  Z/  =  Reach(Z0,tf,Q). 

(9)  and  (10)  can  be  proved  using  the  fact  that  there  always  exists  a  maximum 
of  a  linear  function  on  a  compact  and  convex  set  (see  [LM67]).  It  should  be 
noted  that  zq  and  q  are  not  necessarily  unique.  Using  (9),  (10)  and  (8)  shows 
straightforward  that  cf (ip(zo,tj,  q)  —  ip(zo,tf,q))  >  0  holds  for  arbitrary  zq  and 
q,  therefore  (11)  is  proven.  The  relations  between  zj,  u  and  zo  given  by  this 
lemma,  are  used  to  prove  the  bang-bang  principle  (or  theorem  of  Lee-Markus 
[LM67]).  This  principle  states  that  it  is  always  possible  to  reach  an  extreme  state 
with  an  extreme  control. 

Suppose  we  want  to  find  for  a  given  matrix  A  =  (cf ; . . .  ;  cj)  a  vector  h  — 
(&i;...  \  hi)  such  that  Reach(Zo,tf,Q)  C  {z\Az  <  6}.  Let  c o;  :=  eA  tiC{  then 
we  can  find  zo,  from  (9)  and  an  optimal  g,-  from  (10).  Then  cf  z  <  bi  holds  for 
all  elements  z  in  the  reachability  set,  with  &,■  :=  cf  ^(zo.U/;  Qi)-  If  we  apply  this 
method  to  all  c,-,  we  get  that  the  reachable  set  is  included  in  the  polyhedron 
defined  by  A  z  <  b.  Whether  the  polyhedron  is  bounded  depends  on  the  choice 
of  matrix  A.  Figure  3  shows  an  example  of  how  the  reachable  states  of  the 
composition  of  the  EHC  and  the  filtered  environment  were  approximated  (using 
the  same  matrix  A  as  in  the  next  section).  We  can  approximate  the  reachable 
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states  arbitrarily  close  by  adding  proper  row- vectors  to  A. 

Often  we  are  not  only  interested  in  the  reachable  set  on  certain  points  in 
time,  but  also  in  constrains  on  the  reachable  states  in  an  interval  of  time.  To  get 
a  lemma  similar  to  2,  we  need  restrictions  on  Zo  and  Q.  In  the  remainder  of  this 
section  we  assume  that  both  Zo  and  Q  are  not  only  convex  and  compact  but  also 
bounded  polyhedra.  Reach( Zo,  [0,  tj\,  Q)  denotes  the  set  of  states  which  can  be 
reached  from  Zo  with  input  in  Q  within  time  t j . 

Lemma  3.  Suppose  Zo  C  ffin  and  Q  C  ffim  are  bounded  polyhedra.  Let  cmax  be 
a  vector  in  M”.  Then  there  exits  a  zo  £  <S(Zo),  and  a  tmax  >  0  and  a  constant 
q  €  {q\q  :  [0,  tmax]  -t  <KQ)}  with 

CmaxeAtZ o  =  C^aa.eAtZ0,  Vf  €  [0,  tma®]  (12) 

eLseA(‘m“_t)9(*)  =  maxcLreA(t”,“'t)?>  v<  €  [0 ,tmax]  (13) 

<?£Q 

cmaxz(t)  =  }t,cmaxz(t),  Vt  €  [0,tmax]  (14) 

with  z(t)  =  <p(zo,t,  q)  and  Z (t)  =  Reach(Zo,t,  Q)- 

The  proof  uses  the  existence  of  an  interval  [0,fm„:ri]  on  which  the  maximum  of 
cmaxeAtz o  is  attained  in  one  vertex  zq  of  Zo  (see  lemma  1).  The  same  holds  for 
q;  there  exists  an  interval  [0,  tmaxi]  where  q  is  constant.  Take  tmax  as  minimum 
of  tmaxi  and  tmax 2-  Similar  to  the  proof  of  lemma  2  we  use  (12),  (13)  and  (8) 
to  show  that  Cmax(ip(z0,t,q)  —  <p(zo,t,q))  >  0  holds  for  arbitrary  zo,q  and  all 
t  €  [0 ,tmax],  and  therefore  (14)  is  proven.  For  q  is  constant  on  [0,  tmax\  we  are 
able  to  simplify  the  integrals  that  arise  from  (8) 

Suppose  Z0  is  a  bounded  polyhedron,  and  matrix  A  is  chosen  such  that  Zo  is 
contained  in  the  bounded  polyhedron  {z\Az  <  60}  for  a  certain  bo-  Then  lemma 
3  allows  to  find  a  b(t)  :=  c^aj.z(f)  such  that  Reach(Zo,t,Q )  C  {z|ylz  <  b(t)} 
for  all  t  in  some  interval  [0,tmaz].  The  upper  bound  tmax  depends  solely  on  the 
matrix  A,  Q  and  Zo  and  not  on  the  choice  of  b o-  This  allows  to  approximate  the 
reachable  set  even  if  tsampie  >  tmax.  In  this  case  the  approximation  technique  is 
applied  iteratively  to  the  result  of  the  preceding  approximation,  until  the  number 
of  iterations  times  tmax  exceeds  tsampie- 

We  are  often  also  interested  in  a  single  bounded  polyhedron  that  includes 
the  states  which  are  reachable  within  interval  [0  ,tmax\-  For  this  purpose  we 
can  use  the  inequality  Az  <  max;gj0,tmal]  b(t).  In  general  this  approximation 
gets  worse  with  a  longer  interval  [0,tmaar]-  It  should  be  noted  that  {(z;f)|z  £ 
Reach(Zo,t,  Q)}  is  generally  not  convex,  and  hence  it  is  difficult  to  handle  tran¬ 
sitions  that  do  not  take  place  at  a  specified  time.  Therefore  we  restrict  the  model 
to  clocked  HIOAs. 

Lemma  3  provides  a  method  to  approximate  the  reachable  set  of  such  a 
HIOA.  Let  REACH(t,0)  denote  the  set  of  reachable  states  at  time  t  with  ini¬ 
tial  set  0  and  let  REACH([0.  t],  0)  denote  the  set  of  all  states,  which  are  reach¬ 
able  within  time  t.  The  approximation  of  the  continuous  parts  of  the  reach¬ 
able  states  with  bounded  polyhedra  of  the  form  {z|Az  <  b};  is  denoted  by 
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apr  x{RE  AC  H  {■,©),  A).  Let  S  be  a  set  of  states,  then  trans(S)  is  the  set  of 
states  after  applying  the  transition  rules. 

Let  0  denote  the  set  of  initial  states .  We  choose  a  matrix  A  and  a  vector  b  such 
that  the  initial  values  of  the  variables  in  Z  are  included  in  bounded  polyhedra 
of  the  form  {z\Az  <  6}.  The  algorithm  used  for  the  reachability  analysis  has 
the  following  structure.  Initially  we  choose  ©o  =  &  and  i  —  0.  In  the  first 
step  we  determine  the  bounds  of  aprx(REACH([O,tsampie],0i),  A).  In  the  next 
step  we  determine  0,-  :=  aprx(REACH(tsampie,0i),A)  and  0i+i  :=  trans($i). 
We  increase  i  by  one  and  return  to  the  first  step.  The  algorithm  terminates  if 
9i+i  C  6i .  Notice  that  there  are  no  guarantees  that  the  algorithm  terminates 
and  it  is  easy  to  find  a  counterexample. 

We  can  apply  this  algorithm  when  the  hybrid  system  is  clocked,  its  continuous 
behavior  is  governed  by  piecewise  linear  differential  equations,  the  transitions  are 
defined  by  linear  inequalities  and  the  assignments  are  linear.  In  the  previous  sec¬ 
tion  we  have  seen  that  the  composition  of  the  EHC  and  the  filtered  environment 
has  these  properties. 

6  Results 

In  [SMF97]  Stauner  et  al.  use  HyTech  to  verify  properties  of  the  composed 
system.  First,  they  showed  that  the  EHC  keeps  the  height  of  the  chassis  within 
certain  bounds.  Next,  they  proved  that  the  escape  valve  and  compressor  are 
never  used  at  the  same  time.  They  had  to  include  two  automata,  which  model 
the  escape  valve  and  the  compressor.  In  addition,  they  extended  the  model  with 
a  bend  detection  and  showed  that  the  EHC  does  not  change  the  height  in  bends. 
Stauner  et  al.  also  examined  the  stability  of  the  EHC  after  a  step-like  distur¬ 
bance. 

This  paper  re-examines  only  the  bounds  of  the  chassis  level  and  the  step  re¬ 
sponse  of  the  EHC.  The  second  and  third  property  involve  mainly  discrete  vari¬ 
ables.  Consequently  one  can  not  expect  that  a  different  approximation  technique 
improves  these  results.  We  used  Mathematica  and  MatLab  to  re-examine  the 
automotive  control  problem. 


6.1  Bounds  for  the  Chassis  Level 

The  bounds  of  the  chassis  level  are  given  by  the  maximum  and  minimum  value  of 
h  of  all  reachable  states.  We  derived  the  bounds  of  the  chassis  level  for  a  system 
with  cpmin  =  1  nfl,  cpmax  =  2^,  evmin  =  -2  ^ ,  evmax  =  -1  mm.  and  sp  = 
0  mm.  Therefore  e  lies  in  the  interval  [—1  mm  ^  i  mm].  The  constants  that  define 
the  transitions  are  chosen  as  otls  =  —40  mm,  otus  =  20  mm,  otld  =  —10mm, 
otud  =  10  mm,  itls  =  —6  mm,  itus  =  16  mm,  itl<i  =  —6  mm,  itu^  =  6  mm. 
Stauner  et  al.  used  as  time  constant  of  the  filter  T  =  2  s  and  as  sampling  time 
Uampe  =  1  s.  They  chose  h  =  0  mm  and  /  =  0  mm  as  initial  values.  Using  this 
setting  they  verified  that  the  chassis  level  h  is  always  in  [—47  mm,  27  mm].  This 
means  that  the  outer  limits  oil,  and  otu„  are  never  exceeded  by  more  than  7  mm. 
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^sample  —  1  5 

t$ample  0*5  8 

[-42.6,  23.3] 

T  =  Is 

[-42.0,22.1] 

[-41.5,  21.6] 

Table  3.  The  bounds  of  the  chassis  level  h  in  mm 


They  expected  that  the  results  can  be  improved  by  using  a  smaller  time  constant 
T  and  a  smaller  sampling  time. 

The  behavior  of  /  en  h  is  governed  by  the  following  differential  equation 

f  =  Uh~  f ) 

h  =  e  +  c 

with  e  G  [-1  1  ^]  and  c  =  0  c  G  [-2^,-1  2f]orcG  [1  ^,2  &SL] 

depending  on  the  control  location.  With  a  more  heuristic  approach  -  using  the 
solution  of  (15)  -  it  can  be  found  that  the  real  height  will  exceed  the  outer 
tolerance  limits  with  about  emax(T  +  tsamp[e)  mm  and  emin(T  +  t3ampie)mm 
respectively. 

We  re-examine  these  results  for  T  G  {2  s,  1  s}  and  tsampie  G  {0.5  s,  1  s}.  We 
are  mostly  interested  in  the  bounds  on  the  height,  but  also  in  the  bounds  on  the 
filtered  height  and  the  bounds  on  the  difference  between  filtered  and  real  height 
i.e.  we  want  to  determine  the  upper  limits  of  /,  — /,  /  —  h,h  —  f,  h  and  —  h. 
Hence  we  use  the  matrix  .A  :=  (1  0;  — 1  0;  1  —  1;  — 1  1;  0  1;  0  —  1)  to  define  the 
polyhedra  that  include  the  reachable  filtered  height  and  real  height.  Thus  tmax 
from  lemma  3  is  equal  to  1. 

The  initial  states  are  ( f,h)T  G{*G  M2|Ax  <  (10  30  20  20  10  30)T}.  This 
shortens  the  required  time  to  run  the  algorithm.  The  influence  of  this  choice 
on  the  results  is  limited,  for  all  initial  sets  that  contain  the  origin  converge 
rapidly  to  the  same  collection  of  reachable  sets.  The  results  can  be  found  in  table 
3.  Obviously  the  proposed  approximation  technique  gives  better  results.  They 
coincide  almost  with  the  limits  a  more  heuristic  approach  yields.  In  addition,  the 
bounds  are  tighter  for  smaller  T  and  tsampie  as  expected.  It  is  worth  to  mention 
that  states  which  satisfy  ( loc  =  up)  A  {f  <  sp  +  otls/d)  or  ( loc  =  down)  A  (/  > 
sp  +  otus/d)  are  not  reachable  within  this  setting.  So  the  transitions  to_up  and 
to.down  can  be  simplified. 

6.2  Step  Response  of  the  EHC 

In  the  previous  subsection  we  examined  the  response  of  the  EHC  to  small  distur¬ 
bances.  In  this  subsection  we  assume  that  there  only  is  one  disturbance  of  step 
shape  and  no  other  disturbances  occur.  Disturbances  of  step  shape  are  typical 
test  functions  to  examine  the  stability  of  a  controller.  At  an  arbitrary  moment, 
when  the  system  in  in_tolerance  and  /  =  0  mm,  the  height  makes  a  jump  to  j. 
This  is  the  only  disturbance  and  we  assume  e  =  0  The  jump  can  be  simu¬ 
lated  by  taking  /  =  0  mm,  h  =  j  and  tciock  G  [0  s,  1  s]  as  initial  values.  For  the 
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i 

[11,12] 

[12,13] 

[13,14] 

[14,15] 

[15,16] 

1  [16,17] 

[17,18] 

O) 

i — l 

00 

H 

[19,20] 

5.8 

4.6 

4.0 

3.6 

3.2 

2.8 

2.5 

tremax 

13.8 

13.6 

14.0 

14.6 

15.2 

16.0 

16.8 

17.7 

18.5 

hend 

[0.1, 4.4] 

[0,4.4] 

[0,4.3] 

[0,4.4] 

[0,4.3] 

[0,4.3] 

[0,4.2] 

[0,4.3] 

[0,4.2] 

Table  4.  Some  results  for  the  step  response  of  the  EHC.  The  values  of  timax 
and  tremax  are  given  in  seconds,  and  those  of  j  and  hend  in  mm. 


quality  of  the  approximations  decrease  with  a  longer  interval,  we  took  initially 
tclock  C  [0  S,  0.1  s] ,  .  .  • tclock  C  [0.9s,  1  sj . 

Stauner  et  al.  assumed  a  jump  j  £  (16mm,  18mm]  and  that  the  system  is  in 
driving  mode.  In  this  case  we  expect  that  the  controller  uses  the  escape  valve 
after  disturbances  of  this  size.  Additionally  they  assumed  that  the  escape  valve 
operates  at  its  minimum  value,  hence  evmi„  =  evmax  =  1  This  restric¬ 
tion  was  necessary  to  avoid  arithmetic  overflows.  For  this  setting  they  found 
that  the  controller  leaves  intolerance  at  most  4.3  s  after  the  disturbance  and 
re-enters  it  after  at  most  22.3  s.  They  verified  that  the  chassis  level  then  lies  in 
[—1  mm,  6  mm]. 

For  the  same  setting  it  is  possible  with  the  proposed  approximation  technique 
to  show  that  the  controller  leaves  intolerance  at  most  after  3  seconds,  re-enters 
intolerance  at  most  after  16.9  seconds  and  the  chassis  level  then  lies  in  the 
interval  [3.0 mm, 4.1  mm].  It  is  also  possible  to  investigate  the  step  response 
for  a  system  with  the  original  setting  for  evmin  and  tvmax  and  a  number  of 
intervals  for  j.  The  results  can  be  found  in  table  4.  It  shows  for  jumps  j  within 
the  specified  intervals  the  maximum  time  the  controller  needs  to  detect  the 
disturbance  ( timax )i  the  maximum  time  the  controller  needs  before  re-entering 
in-tolerance  ( tremax )  and  the  interval  that  contains  h  after  re-entering  intolerance 
( henii )•  The  interval  [10  mm,  11mm]  was  not  considered,  because  a  jump  with 
j  =  10  mm  can  not  be  detected  in  finite  time. 

Figure  4  illustrates  the  behavior  of  the  EHC  due  to  jumps  in  [13  mm,  14  mm] 
occurring  at  tciock  =  0.  We  see  that  the  EHC  enters  location  down  after  3  sec¬ 
onds  and  re-enters  location  intolerance  at  least  after  13  seconds.  All  reachable 
state  will  ultimately  converge  to  points  on  the  diagonal,  for  the  filtered  height 
converges  to  the  real  height. 


7  Conclusion 

The  program  used  for  the  analysis  is  quite  preliminary  and  it  will  cost  some 
time  to  make  it  suitable  for  other  problems  than  the  automotive  control  prob¬ 
lem.  Hence  the  required  CPU-times  are  less  impressive  (re-examining  the  step 
responses  (table  4)  lasted  less  than  one  hour,  the  reachability  analysis  required, 
depending  on  the  choice  for  t sample  and  T  up,  to  one  day).  An  extension  to, 
or  implementation  into  a  more  general  program  will  be  done  in  the  future.  To 
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filtered  height 
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Fig.  4.  Step  response  due  to  a  jump  in  [13  mm,  14  mm]  starting  at  tciock  =  0 


ensure  that  the  algorithm  is  applicable  to  more  realistic  models,  an  analysis  of 
the  complexity  will  also  be  done  in  the  future 

The  proposed  approximation  technique  gives  obviously  better  results  for  the 
reachability  analysis  of  a  hybrid  system  with  restricted  discrete  dynamics,  but 
uses  the  full  dynamics  of  the  linear  system  (linear  in  the  sense  of  Control  The¬ 
ory)  that  describes  the  continuous  dynamics.  The  most  restrictive  assumption  is 
that  the  system  has  to  be  clocked.  Fortunately  many  real-life  problems  within  a 
controller-environment  setting  have  this  property. 

If  we  apply  our  technique  to  systems  with  piecewise  constant  derivatives,  this 
restriction  can  be  weakened.  The  matrix  A  in  (7)  will  be  zero,  consequently  tmax 
from  lemma  3  will  be  infinity.  Additionally  the  reachable  sets  will  form  a  convex 
set  in  time  and  the  approximation  will  be  exact.  This  simplifies  analysis  of  the 
system  and  hence  the  assumption  of  a  clocked  hybrid  system  can  be  dropped. 
For  this  class  of  hybrid  system,  the  method  proposed  in  this  paper  coincides 
with  the  methods  for  Linear  Hybrid  Systems  as  presented  e.g.  in  [ACH+95]. 

Puri  et  al.  approximated  a  Lipschitz  differential  inclusion  arbitrarily  close 
by  a  piecewise  constant  inclusion  and  then  used  polyhedra  to  approximate  the 
reachable  set  [PBV95].  Lipschitz  differential  inclusions  form  a  more  general  class 
of  systems  than  linear  systems.  For  in  this  paper  only  the  latter  were  considered, 
it  was  not  necessary  to  approximate  the  continuous  behavior,  assumed  that  the 
discrete  behavior  satisfies  certain  restrictions. 

Reachability  analysis  of  hybrid  systems  requires  restrictions  on  the  discrete 
and  continuous  dynamics.  The  hybrid  system  Stauner  et  al.  used  for  the  automo¬ 
tive  control  problem  provides  a  discrete  behavior  that  allows  us  to  use  properties 
of  linear  systems  for  analysis  of  the  continuous  part. 
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Abstract.  This  paper  presents  new  results  on  switching  control  using 
neural  networks.  Given  a  set  of  candidate  controllers,  a  pair  of  neu¬ 
ral  networks  is  trained  to  identify  the  stability  region  and  estimate  the 
closed-loop  performance  for  each  controller.  The  neural  network  outputs 
are  used  in  the  on-line  switching  rule  to  select  the  controller  output  to 
be  applied  to  the  system  during  each  control  period.  The  paper  presents 
architectures  and  training  procedures  for  the  neural  networks  and  suf¬ 
ficient  conditions  for  stability  of  the  closed-loop  system  using  the  pro¬ 
posed  switching  strategy.  The  neural-network-based  switching  strategy 
is  applied  to  generate  the  switching  strategy  embeded  in  the  SIMPLEX 
architecture,  a  real-time  infrastructure  for  soft  on-line  control  system  up¬ 
grades.  Results  are  shown  for  the  real-time  level  control  of  a  submerged 
vessel. 


1  Introduction 


A  common  approach  to  control  complex  dynamic  systems  is  to  design  a 
number  of  different  controllers,  each  for  a  particular  operating  region  or 
performance  objective,  and  then  to  switch  among  the  controllers  in  real 
time  to  achieve  the  overall  control  objective.  This  is,  for  example,  the 
philosophy  behind  gain-scheduled  controllers.  Recently,  switching  control 
strategies  have  been  proposed  for  adaptive  control  of  unknown  systems 
[l],[9],  and  to  optimize  the  performance  of  stabilizing  controllers  for  a 
known  plant  [8]. 

It  is  useful  to  view  switching  control  systems  as  hybrid  systems,  that 
is,  systems  with  both  continuous  state  variables  and  discrete  state  vari¬ 
ables.  The  plant  state  variables  (assuming  a  continuous- variable  system) 
and  possibly  continuous  state  variables  in  the  controllers  constitute  the 
continuous  state  of  the  switching  control  system;  the  index  of  the  cur¬ 
rent  controller  being  applied  to  the  system,  and  possibly  discrete  vari¬ 
ables  in  the  sequential  switching  logic,  constitute  the  discrete  state.  Sys- 
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tem  performance  and  stability  are  also  normally  defined  in  terms  of  the 
continuous-state  trajectories.  Analysis  of  switching  control  systems  from 
either  perspective  is  difficult  because  of  the  interaction  between  the  con¬ 
tinuous  and  discrete  dynamics  through  the  switching  rules. 

Given  a  collection  of  controllers  for  a  nonlinear  dynamic  system,  neural 
network  techniques  are  presented  for  estimating  the  regions  of  stability 
and  performance  of  each  controller,  and  an  on-line  switching  strategy  is 
proposed  based  on  these  neural  network  estimates.  Sufficient  conditions 
are  presented  for  closed-loop  stability  of  the  switching  control  system.  On 
the  application  side,  we  describe  the  use  of  the  neural  network  strategy 
to  implement  the  switching  rules  in  the  SIMPLEX  architecture,  a  real¬ 
time  environment  developed  at  the  Software  Engineering  Institute  at 
Carnegie  Mellon  University  that  provides  protection  against  errors  in 
control  system  upgrades  [11], [4]  and  [10].  Results  are  presented  for  the 
real-time  control  of  the  level  of  a  submerged  vessel. 


2  Problem  Formulation 

We  consider  the  problem  of  controlling  a  nonlinear  system  described  by 
the  state  equations 

Xjfc+l  =  /(x*,u*)  (1) 

Xfc  G  s,  u  k  e  D 

where  x*,  6  Rn  is  the  state  vector  and  u*  €  Rm  the  control  input  vector. 
The  connected  sets  S  C  Rn  ,D  C  Rm  represent  physical  constraints 
on  the  system  state  and  control,  respectively.  The  discrete-time  state 
equation  reflects  the  sampled-data  implementation  of  a  computer  control 
system.  The  control  objective  is  to  take  the  state  to  the  origin. 

We  assume  M  state  feedback  controllers  have  been  designed  for  this 
system,  with  the  ith  control  law  given  by  g*  :  Rn  ->  Rm.  We  assume 
the  origin  is  a  stable  equilibrium  for  each  of  the  controllers  in  some 
(unknown)  region.  The  objective  of  the  switching  strategy  is  to  select 
one  of  the  control  outputs  to  apply  the  system  at  each  control  instant  to 
achieve  the  largest  possible  region  of  stability  for  the  closed-loop  system 
with  a  good  transient  response. 

The  closed-loop  system  created  by  the  application  of  each  controller  is 
characterized  by  a  stability  region  and  a  performance  index.  The  region 
of  stability  for  controller  i  is  defined  as 
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R'  =  {  Xo  :  Xfc(x0)  €  S,  g'(x*(x0))  €  D  Vk  >  ka  and 

lim  xj.(x0)  =  0  }  ^ 

k-Kx 

where  x*(x0)  denotes  the  trajectory  of  the  system  (1)  with  the  initial 
state  Xo  at  k  =  0  under  control  law  g'.  We  consider  performance  indices 
for  the  controllers  of  the  form 

OC 

Jj(xo)  =  Bi  +  '£  6kU\xi(x0)),  (3) 

*=o 

where  0  <  S  <  1  is  a  discount  factor,  Ul  :  Rn  R  is  a  positive  definite 
state  cost  function,  and  B'  is  the  bias  coefficient  for  the  ith  controller. 
We  assume  (3)  converges  for  <5  =  1. 

The  proposed  approach  for  selecting  the  controller  at  each  sampling  in¬ 
stant  is  illustrated  in  figure  1.  Neural  networks  axe  used  to  compute 
estimates  of  the  stability  regions  R '  and  performance  indices  J\  at  the 
current  state,  denoted  by  R‘  and  jj,  respectively.  The  index  of  the  con¬ 
trol  input  to  be  applied  for  the  next  period,  denoted  ik,  is  then  selected 
as 

ik  =  arg  min  { J's(xk )}  (4) 

where 

I(xk,  Lk )  =  {ijx*  G  R\  and  if  i  #  ik- 1,  Jg(xk )  <  L\} 
with  Lk  =  {Lfc, . . .  ,  L'lf}  and  for  *  =  1, . . .  ,  M 


oo  if  k  =  0  or  x*  ^  R ,fc_1 

L'k-l  _  if*'#*'*: 

min{JJ(x*),  L'k_x}  if  i  =  ik 


In  words,  the  scheduler  selects  the  controller  with  the  minimum  estimate 
performance  index  from  among  the  controllers  for  which  the  current  state 
is  in  the  estimated  stability  region  and,  for  the  controllers  other  than  the 
current  controller,  the  current  estimated  performance  index  is  less  than 
the  corresponding  bound  Llk .  The  limits  L'k  guarantee  a  controller  is  not 
re-selected  once  it  has  been  used  until  its  performance  index  has  de¬ 
creased  below  the  lowest  value  reached  when  it  was  last  active.  If  the 
system  leaves  the  stability  region  of  the  controller  used  during  the  previ¬ 
ous  period,  all  controllers  become  candidates  again  by  setting  L'k  —  oo 
for  all  i  =  1, . . .  ,  M.  This  selection  criterion  is  motivated  by  the  min- 
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switching  strategies  based  on  Lyapunov  functions  proposed  in  [8]  and 
[6].  The  strategy  proposed  in  this  paper  replaces  the  Lyapunov  functions 
with  the  neural  network  estimates  of  the  performance  measure,  making 
it  viable  for  systems  for  which  the  dynamics  are  not  known  precisely  or 
Lyapunov  functions  cannot  be  found  by  analysis. 


3  Neural  Networks 


Neural  networks  are  used  in  two  ways  in  the  proposed  scheme.  The  sta¬ 
bility  region  estimator  is  a  classifier,  identifying  when  the  system  is  stable 
for  a  given  state.  The  performance  estimator  produces  an  estimate  of  the 
cost-to-go  function  (3)  from  a  given  state.  In  both  cases  a  two-layer  feed¬ 
forward  network  is  used  for  its  capacity  as  an  universal  approximator 
with  a  size  that  is  small  relative  to  the  size  of  the  data  set  [3]. 


Fig.  1.  Control  Scheduling  diagram. 
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The  input-output  behavior  of  the  two-layer  network  with  linear  outputs 
units  is  described  by 

y  =  b0  +  Wj  x  +  W3t  fa  (b2  +  W2t  fa  (fa  +  Wf  x)),  (5) 

where  x  £  72”°  is  the  input  vector,  y  £  72”3  the  output  vector,  W,  £ 
j  =  1,2,3  and  W0  £  72”3  xn°,  the  weight  matrices  for  each 
layer  of  ni  units,  b,  £  72”*  the  threshold  vectors  for  each  layer  and 
4>i  :  72”*  — >•  72”* ,  *  =  1, 2;  the  nonlinear  functions  for  each  hidden  layer. 
The  functions  fa(-)  for  the  hidden  units  of  the  neural  network  are  all 
chosen  to  be  the  hyperbolic  tangent  functions  applied  to  each  component 
of  its  input  vector  (i.e.  faj(x)  =  tanh(xj)  ).  In  our  application,  the  input 
vector  x  is  the  state  of  the  plant  for  both  the  stability  region  estimators 
and  performance  estimators. 


3.1  Estimating  Stability  Regions 

For  the  stability  region  estimators,  the  neural  network  output  y  is  a  two- 
dimensional  vector  with  components  ranging  roughly  between  -1  and  1 
in  the  region  of  approximation.  The  ideal  output  values  are  (yi ,  y2)  = 
(1,-1)  when  x  belongs  to  R'  and  (yi,y2)  =  (—1,1)  when  x  is  not  in 
R'.  To  make  a  distinct  classification  in  the  non-ideal  case  (i.e.,  when  the 
components  of  y  are  not  equal  to  ±1 ),  two  positive  threshold  parameters, 
0  and  <£,  are  selected  to  implement  the  following  decision  rule: 

Stability  Region  Classifier:  Declare  x  belongs  to  R'  if  and  only  if: 

1.  yi(x)  -  y2(x)  >  0,  and 

2.  ||Vx(yl(x)-y2(x))||<*, 

where  the  notation  Vx  denotes  the  gradient  with  respect  to  x. 

The  stability  region  classifier  is  motivated  by  the  necessity  of  obtaining 
conservative  approximations  for  the  stability  regions.  The  parameter  0 
is  chosen  after  the  network  is  trained  so  that  the  classification  is  correct 
for  all  the  training  and  validation  data.  The  parameter  5  is  chosen  much 
smaller  than  the  maximum  of  the  norm  of  the  gradient  of  the  network 
output  over  the  domain. 

The  training  of  the  neural  network  for  the  stability  region  estimator  is 
based  on  supervised  learning  procedures.  This  approach  is  widely  used 
for  pattern  recognition  and  classification  applications  [3].  To  initialize  the 
training  for  each  controller,  the  following  three  regions  A  C  B  C  C  are 
defined,  based  on  a  priori  knowledge  of  the  closed-loop  system  behavior: 
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1.  Inner  region  A.  A  very  conservative  region  which  includes  all  the 
states  from  which  covergence  to  the  origin  is  certain. 

2.  Study  region  B.  The  region  on  which  the  training  procedure  is  going 
to  be  conducted. 

3.  Unsafe  region  C.  The  bounding  region  in  which  the  system  is  either 
unstable  or  the  state  is  outside  the  operating  region  of  interest. 

By  making  experiments  with  the  controllers  starting  at  states  belonging 
to  region  B,  and  observing  if  the  evolution  leads  the  system  to  region  A 
or  to  region  C,  data  is  obtained  for  region  B  to  train  the  neural  network. 
This  procedure  is  carried  out  initially  using  off-line  data,  but  training 
can  continue  on  line  as  the  system  operates. 

Comparisons  of  the  neural  network  stability  region  estimator  with  other 
approaches  to  stability  region  approximation  have  been  presented  in  [7], 
We  have  found  that  in  all  cases,  with  a  reasonable  amount  of  training, 
the  neural  network  obtains  an  estimate  of  the  stability  region  which  is 
much  less  conservative  than  most  other  methods.  Moreover,  since  it  is 
not  model-based,  the  neural  network  classifier  can  be  applied  to  systems 
using  empirical  data. 


3.2  Estimating  Performance  Indices 

Estimating  performance  indices  such  as  (3)  is  a  standard  problem  in 
Xeuro-dynamic  programming  [2].  A  Heuristic  Dynamic  Programming 
(HDP)  algorithm  [13]  is  used  to  train  the  networks.  The  training  algo¬ 
rithm  uses  an  estimation  of  the  cost-to-go  at  x*  given  by 

J's\Xk)  =  U\xk)  +  £J!(x*+i)  (6) 

where  J|’(xk)  is  the  desired  value  for  the  network  for  state  x*.  Equation 
(6)  is  motivated  by  the  definition  of  J](x)  (3)  neglecting  the  bias  term  B' 
which  is  added  directly  to  the  output  of  the  network.  In  our  applications, 
U'{x. )  is  a  standard  quadratic  form, 

U\x)  =  xT  P  x,  PT  =  P  >0,  i  =  1,...  ,M. 

The  HDP  training  procedure,  illustrated  in  figure  2,  is  described  briefly 
as  follows.  Given  the  new  state  value  x*+i  at  time  k  + 1,  the  neural  net¬ 
work  with  parameters  from  time  k,  denoted  NN,(k),  is  used  to  predict 
both  Jls(xk )  and  Jj(x*+ 1).  The  latter  value  is  used  to  compute  J}*(xk) 
as  defined  in  (6).  The  difference  tk  =  J$*{xk)  -  J's(xk)  is  used,  in  a  back- 
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propagation  algorithm,  to  update  the  parameters  in  the  neural  network 
to  produce  NN,(k  + 1)  (indicated  by  the  arrow  through  the  XN,  block). 


Analytical  results  for  related  problems  in  the  context  of  Q-leaming  [5] 
and  temporal  differences  [12]  indicate  that  convergence  should  be  ex¬ 
pected  under  rather  mild  conditions.  A  principal  difference  between  our 
application  and  most  work  on  learning  cost-to-go  performance  indices 
is  that  the  estimated  values  of  the  performance  indices  do  not  influence 
the  control  laws.  We  assume,  rather,  that  each  of  the  given  controllers 
stabilizes  the  system  and  the  feedback  laws  remain  fixed. 


4  Analysis  of  Closed-Loop  Performance 


We  first  consider  the  system  behavior  in  the  perfect  information  case, 
that  is,  when  the  performance  measures  and  stability  regions  are  known 
for  each  controller.  We  then  consider  the  effect  of  using  the  neural  net¬ 
work  estimators  rather  than  the  exact  values. 

The  approach  to  analyzing  the  closed-loop  system  follows  the  technique 
for  the  min-switching  strategy  suggested  in  [8]  for  the  continuous-time 
case.  To  restate  the  basic  Lyapunov  results  for  our  discrete-time  context, 
suppose  for  each  control  law  g*  there  is  a  known  Lyapunov  function  V’(x) 
for  the  closed-loop  system  under  that  control  law  within  the  region  of 
stability  R' .  Moreover,  suppose  the  control  applied  at  each  sample  instant 
is  chosen  according  to  the  min-switching  strategy,  that  is,  the  control  is 
selected  which  corresponds  to  a  Lyapunov  function  with  the  minimum 
value  among  all  the  Lyapunov  functions  evaluated  at  the  current  state. 
The  following  theorem  is  the  discrete-time  version  of  the  result  in  [8]. 
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Theorem  1.  If  the  system  given  by  (l)  is  controlled  by  the  min-switching 
strategy  applied  to  a  set  of  known  Lyapunov  functions,  the  origin  is 
asymptotically  stable  in  the  region  R=  (J  J?*.  Moreover,  the  function 


W{x)  = 


min  {V*(x)} 
i€{i  Ixejw'} 


(7) 


is  a  Lyapunov  function  on  R. 


Proof.  Follows  from  the  continuous-time  result  in  [8],  mutatis  mutandis. 


We  now  apply  this  result  to  the  min-switching  strategy  considered  in 
this  paper  by  observing  that  if  the  performance  indices  J{  (3)  converge 
(5  =  1),  they  are  in  fact  Lyapunov  functions  for  the  respective  controllers. 


Theorem  2.  Given  the  system  defined  by  (1)  and  a  collection  of  con¬ 
trol  laws  g‘,i  =  1, ...  ,  M.  Suppose  for  each  control  law  the  origin  is 
asymptotically  stable  for  the  closed-loop  system 

Xfe+i  =  F'(xfc) 

in  a  connected  region  R‘ ,  and  J\  given  by  (3)  converges  for  5  =  1.  Then 
there  exists  a  8*  £  (0, 1)  such  that  the  origin  is  asymptotically  stable  in 
the  region  R  =  |J  f?‘  for  the  closed-loop  system  controlled  by  the  min- 
switching  strategy  [8]  for  any  5  £  (5*,  1].  Moreover,  for  any  8  £  (5*,l] 
the  function 

Js  =  min 

*€{j|x6iW} 

is  a  Lyapunov  function  on  R. 


Proof.  For  each  i,  if  J\  converges,  it  follows  from  the  definition  of  J\ 
that  it  is  continuous  in  5  and  therefore  there  exists  some  5*  £  (0,1) 
such  that  for  all  5  £  (5* ,  1]  J)  is  a  Lyapunov  function  for  the  closed- 
loop  system  under  control  law  i  on  R' .  The  theorem  follows  by  letting 
8*  =  max(8*, . . .  ,  8lf). 

We  now  turn  to  the  min-switching  strategy  using  the  neural  network 
estimators.  In  the  following  we  assume  the  stability  region  estimators 
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are  all  conservative,  that  is,  for  all  i  =  1, . . .  ,M,R‘  C  R'.  Moreover,  we 
assume  all  the  stability  region  estimates  are  nonempty  and  connected. 
These  assumptions  are  reasonable  given  the  properties  of  neural  network 
classifiers  and  the  ability  to  initiate  the  training  for  the  stability  region 
estimators  based  on  a  priori  knowledge  of  the  capabilities  of  the  given 
controllers. 


Theorem  3.  Suppose  the  assumptions  of  Theorem  2  are  satisfied  and 
the  performance  estimates  ape  computed  usingS  £  (<J* ,  1]  where  8 *  is  as 
specified  in  Theorem  2.  Furthermore,  suppose  J*s  is  continuous  on  R' .  If 
for  some  e  >  0  the  performance  estimates  satisfy 

|  Jj(x)  -  jj(x)|  <  e  for  all  x£  R\  *  =  1, . . .  ,M  (9) 

and  the  min-switching  strategy  is  applied  for  some  x0  €  R  =  U  Rl  re¬ 
sulting  in  a  state  trajectory  such  that  there  exists  K  £  X"  for  which 
Xk  £  f)Rl  ,Vk  >  K,  then  Xk  — >  X£  where 

X£  =  U xi  =  \J{x  I  4(x)  <  sup  jj(x)}  (10) 

i  i 

and 

=  {x  £  Rfl-AJlix)  <  2e}. 


Proof.  For  a  given  x0  £  R,  let  i*  be  the  sequence  of  controllers  selected 
by  the  min-switching  rule.  If  there  exists  some  K  and  l  £  {1, . . .  ,  M} 
such  that  ik  =  l  for  all  k  >  K,  the  theorem  is  true  since  the  origin  is  a 
stable  equilibrium  for  controller  l.  On  the  other  hand,  if  the  controller 
switches  infinitely  often,  there  must  be  one  controller  l  which  is  selected 
infinitely  often.  Let  the  sequence  of  time  indices  0  <  ki  <  . . .  be  an 

infinite  sequence  of  sampling  instants  when  controller  l  is  selected  with 
x*  £f)£‘,  V  k  >  ki.  The  min-switching  rule  implies 

Jls(xkj+1)  <  Jsixkj),  Vj 

because  of  the  limits  Lkj  •  Since  the  J\{xkj )  are  bounded  from  below,  the 
sequence  jj(x*J-)  converges  to  some  constant  C. 

For  each  i  =  1, . . .  ,  M  let  rf  (x)  denote  the  error  in  the  Ith  performance 

estimate  at  state  x  where  it  is  assumed  |i?‘(x)|  <  e  for  some  e  >  0.  This 

.  >  ^  . 

implies  that  when  the  i  controller  is  applied  at  a  state  x  £  R1, 
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AJ's(x)  *  jj(F*(x))  -  Jj(x) 

=  ^ji(x)  +  r?*(F*'(x))-r?i(x) 

<  AJ}(x)  +  2e. 

Since  J}  is  a  Lyapunov  function  for  the  system  under  controller  i,  AJ\(x)  < 
0.  Returning  to  the  specific  controller  l ,  suppose  that  there  are  an  infinite 
number  of  the  XkJ  that  remain  a  finite  distance  from  the  set 

x\  =  {x  €  R1  |  -  AJls(x)  <  2e}. 

This  would  imply  the  sequence  AJ\(xkj)  is  negative  and  bounded  away 
from  zero  infinitely  often,  contradicting  Jg(xkj)  ->  C.  Therefore,  Xk,  -*■ 
X[.  More  precisely,  given  any  e  >  0,  there  exists  some  K\  such  that  the 
distance  d{xkj ,  Xe)  <  £  for  all  kj  >  K\.  This  is  illustrated  in  figure  3. 

While  controller  l  is  applied,  Jj(x^)  is  monotone  non-increasing  since 
j\  is  a  Lyapunov  function  for  the  system.  Therefore,  J\(x.k)  <  J\{xkj), 
for  k  >  kj  until  cinother  controller  becomes  active  (see  figure  3).  Define 
h  =  {k  £  Af\ik  =  1}  and  Jj  =  sup  j|(x).  Then,  for  any  given  /3  >  0  we 

xexi 

have 

fs(xk)  <  sup  Jls(xkj)  <Jls+fi  Vfc  eh,k>  K\ 

kj 

because  of  the  continuity  assumption  on  Jj(x).  Since  this  has  to  be  true 
for  any  l,  after  a  finite  K  in  which  all  the  controllers  that  are  not  used 
infinite  number  of  times  do  not  become  active  anymore,  the  sequence  Xk 
is  arbitrarily  close  to  Xt. 


This  theorem  indicates  that  when  the  performance  estimates  are  used 
rather  than  the  exact  performance  indices,  the  min-cost  switching  strat¬ 
egy  will  drive  the  state  to  a  neighborhood  of  the  origin  determined  by 
the  magnitudes  of  the  errors  in  the  performance  estimates  for  each  con¬ 
troller.  Theorem  3  does  not  guaranteed  the  neighborhood  is  arbitrar¬ 
ily  small,  however.  Moreover,  the  exact  performance  measures  are  not 
known  in  general,  so  the  neighborhood  in  Theorem  3  could  not  be  com¬ 
puted  even  if  the  bound  on  the  estimation  error  was  known.  These  dif¬ 
ficulties  are  eliminated  when  <5  =  1,  however,  since  in  this  case  we  have 
AJi(x)  =  -  U(x). 
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Corollary  4.  Under  the  assumptions  of  Theorem  3  with  S  =  1,  if  the 
min-switching  strategy  is  applied  for  some  x0  £  R  —  \JR'  resulting  in  a 
state  trajectory  such  that  Xk  — >  H  then 

Xk-+{xe  Rn\U(x )  <  2e}. 


5  An  Application 


One  of  the  principal  motivations  for  developing  the  controller  switching 
strategy  presented  in  this  paper  is  to  provide  a  method  for  implement¬ 
ing  the  switching  rules  in  the  SIMPLEX  architecture,  a  real-time  environ¬ 
ment  developed  at  the  Software  Engineering  Institute  at  Carnegie  Mellon 
University  that  provides  protection  against  errors  in  control  system  up¬ 
grades.  Figure  4  shows  a  typical  configuration  for  SIMPLEX  in  which  there 
are  three  controllers:  a  safety  controller,  a  reliable  baseline  controller,  and 


Fig.  3. 

to  Xe. 


an  experimental  controller  representing  a  new,  untested  control  module. 
The  basic  idea  of  the  SIMPLEX  system  is  to  guarantee  that  the  base¬ 
line  controller  performance  is  maintained  if  there  are  problems  in  the 
experimental  controller.  This  is  accomplished  by  monitoring  the  control 
outputs  and  system  performance  when  the  experimental  controller  is  in¬ 
stalled,  and  switching  control  back  to  the  baseline  controller  if  problems 
are  detected.  The  safety  controller  is  invoked  when  it  is  necessary  to  take 
more  extreme  action  to  return  the  system  to  the  operating  region  for  the 
baseline  controller. 


137 


Fig.  4.  simplex  architecture. 


Clearly  the  ability  for  the  SIMPLEX  system  to  provide  the  desired  pro¬ 
tection  against  errors  in  the  experiment  al  controller  depends  entirely  on 
the  rules  used  to  switch  between  controllers.  These  rules  are  very  diffi¬ 
cult  to  create  and  maintain,  even  for  small  systems.  The  neural  network 
approach  proposed  in  this  paper  provides  a  means  of  obtaining  less  con¬ 
servative  estimates  of  the  stability  regions  for  the  controllers,  and  also  a 
method  for  determining  when  to  switch  from  the  safety  controller  back 
to  the  baseline  controller  based  on  estimates  of  their  performance. 

We  present  results  here  on  the  implementation  of  the  min- switching  con¬ 
trol  strategy  for  a  level-control  system  for  an  underwater  vessel.  This  sys¬ 
tem  has  been  designed  in  the  Software  Engineering  Institute  at  Carnegie 
Mellon  University  as  a  testbed  for  the  development  of  dependable  and 
evolvable  systems  using  the  SIMPLEX  architecture.  The  experimental  sys¬ 
tem  consists  of  a  water  tank  in  which  a  vessel  can  move  vertically  by 
changing  the  size  of  the  air  bubble  inside  it.  Air  is  moved  in  and  out  of 
the  vessel  through  a  flexible  tube  connected  to  a  cylinder-piston  mech¬ 
anism.  Figure  5  shows  a  schematic  diagram  of  the  system  components. 
The  control  goal  is  to  stabilize  the  vessel  at  an  arbitrary  position  inside 
the  water  tank.  The  position  of  the  vessel  and  the  size  of  the  air  bubble 
are  measured  directly  using  ultrasound  sensors.  A  stepper  motor  controls 
the  piston  movement.  Constraints  are  imposed  by  the  bottom  of  the  tank 
and  the  water  level.  The  control  input  is  limited  by  the  maximum  speed 
of  the  stepper  motor. 
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Fig.  5.  Schematic  diagram  for  the  submerged  vessel  sys¬ 
tem. 

A  set  point  of  yat  —  25  in  was  selected.  Two  controllers  were  used  to  test 
the  switching  strategy.  Both  controllers  are  state  feedback  controllers 
used  in  the  original  SIMPLEX  architecture  implementation.  One  controller, 
Ui,  has  an  acceptable  performance  close  to  the  set  point  while  the  sec¬ 
ond  controller,  U2,  performs  better  in  a  larger  operating  region  using  a 
bang-bang  action,  but  with  unacceptable  oscillations  near  the  set  point. 
An  analytical  model  was  used  for  initial  training  of  the  neural  network, 
then  experimental  data  from  twenty  runs  were  used  to  adapt  the  pa¬ 
rameters  of  the  neural  networks  to  estimate  the  performance  indices  of 
both  controllers.  Figure  6  shows  a  typical  data  profile  to  estimate  the 
performance  index  of  one  of  the  controllers  and  figure  7  shows  a  slice  of 
the  resulting  performance  estimate. 

Figures  8  shows  a  switching  experiment  for  a  step  change  in  the  setpoint 
value  for  y3t  from  13  to  25  inches.  Figure  9  shows  the  estimated  perfor¬ 
mance  indices  during  the  run.  From  the  figure  we  observe  that  controller 
2  is  preferred  for  larger  values  of  y.  After  approximately  5.5  seconds  J} 
becomes  smaller  than  J|  and  the  scheduler  switches  to  controller  1. 


Fig.  6.  Data  obtained  from  an  experimental  run  for  a  con¬ 
troller. 


Performance  Index 


Fig.  7.  Performance  index  estimate  (y  =  0). 


6  Discussion 


This  paper  presents  a  method,  for  switching  among  a  set  of  given  con¬ 
trollers  using  multilayer  feedforward  neural  networks  and  neuro-dynamic 
programming  techniques.  In  contrast  to  switching  control  strategies  aimed 
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Fig.  8.  Level  relative  position  of  the  vessel  and  bubble  size 
during  a  switching  experiment. 


Fig.  9.  Performance  indices  estimates  for  controllers  for 
the  submerged  vessel  during  a  switching  experiment. 
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at  adapting  to  unknown  plant  dynamics,  the  objective  in  this  work  is  to 
select  the  best  controller  from  among  a  set  of  controllers  that  have  been 
designed  for  a  known  plant.  This  objective  is  most  closely  aligned  with 
the  switching  control  strategies  proposed  in  [8]  and  [6].  By  using  neu¬ 
ral  networks  to  estimate  the  stability  regions  and  performance  indices 
for  the  controllers,  the  switching  strategy  depends  on  experimental  data 
from  the  actual  system,  rather  than  analytical  models  that  may  lead 
to  misleading  or  incorrect  switching  rules.  We  present  a  new  result  on 
the  stability  of  the  min-switching  strategy  using  estimates  of  Lyapunov 
functions. 

The  convergence  and  stability  results  in  this  paper  are  sufficient  con¬ 
ditions.  There  are  several  open  problems  concerning  the  verification  of 
these  conditions  in  applications  and  the  possibility  of  obtaining  less  con¬ 
servative  results.  For  the  closed-loop  behavior,  the  ramifications  of  con¬ 
tinued  learning  and  persistent  excitation  need  to  be  studied  further.  It 
would  be  desirable  to  introduce  techniques  by  which  performance  es¬ 
timate  learning  could  be  achieved  for  the  controllers  that  are  not  cur¬ 
rently  controlling  the  system,  by  introducing,  perhaps,  a  model  of  the 
system  being  controlled.  The  introduction  of  adaptive  control  to  deal 
with  changes  in  the  plant  dynamics  may  also  be  important  for  some 
applications. 
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Abstract.  The  paper  proposes  a  first-order  logic  for  the  specification 
of  continuous  components  of  hybrid  systems.  The  particularity  of  the 
approach  lies  in  its  interpretation  of  individual  variables  not  as  functions 
over  time  or  as  point-based  values,  but  as  environment-based  values.  An 
environment-based  value  closely  models  the  local  behavior  of  a  function 
defined  on  a  continuous  time  domain.  The  advantage  of  the  approach 
is  that  it  enables  us  to  consider  the  derivation  operator  as  an  ordinary 
unary  logical  function.  Thus,  the  logic  is  free  from  any  built-in  operators; 
they  can  all  be  defined  on  the  elements  of  the  carrier  set  of  environment- 
based  values. 

To  facilitate  the  definition  of  additional  logical  functions  and  predicates 
like  limit,  derivation  of  arbitrary  order  or  continuity,  the  user  is  allowed 
to  specify  them  in  the  intuitive  notation  of  functions  defined  on  time. 
The  semantics  of  the  logic  provides  two  lifting  operators,  which  lift  the 
functions  and  the  predicates  to  the  appropriate  semantic  spaces.  These 
lifting  operators  do  not  violate  the  intuitive  meaning  of  the  introduced 
constructs.  An  outline  of  the  proof  of  this  fact  is  given. 


1  Introduction 

A  specification  of  a  system  usually  determines  a  set  of  permitted  system  behav¬ 
iors.  If  T  is  the  considered  time  domain1,  V  a  finite  set  of  system  variables,  and 
Val  a  set  of  possible  values,  then  a  state  is  an  assignment  of  a  value  to  each 
system  variable  and  a  behavior  is  an  assignment  of  a  state  to  each  time  point. 
The  set  of  all  states  is  denoted  by  E  and  the  set  of  all  system  behaviors  by 
BEH,  i.e.  E:=V  — >  Val  and  BEH:= T  — »  E.  With  these  definitions,  the  task  of 
a  specification  is  to  define  an  appropriate  subset  of  BEH. 

To  formally  specify  hybrid  systems,  powerful  specialized  description  tech¬ 
niques  for  discrete  and  continuous  parts  of  the  system  are  needed.  Also  required 

This  work  is  being  funded  as  part  of  the  KONDISK  program  of  the  German  Research 
Foundation  (DFG). 

1  T  is  often  chosen  as  a  finite  or  infinite  interval  of  real  numbers  R  or  as  the  natural 
numbers  N. 
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axe  means  for  combining  discrete  and  continuous  components  naturally.  For  more 
than  twenty  years,  numerous  logics  and  model-based  languages  have  been  avail¬ 
able,  which  are  tailored  to  the  proper  specification  of  discrete  systems  like  VDM 
[7]  or  Z  [11].  The  central  concepts  on  which  these  languages  are  based  are  state 
invariants  and  operations.  The  system  is  specified  by  describing  a  state  invari¬ 
ant  INV  C  £  and  a  finite  set  of  operations  oi , . . . ,  on ,  each  of  them  denoting  a 
binary  relation  on  £.  Roughly  speaking,  the  invariant  specifies  the  static,  and 
the  operations  the  dynamic,  aspects  of  a  system.  The  system  variables  are  in¬ 
terpreted  as  elements  of  Val.  The  state  invariant  INV  and  the  operations  o, 
are  specified  using  predicates  on  £  and  £  x  £,  respectively,  both  formulated 
in  predicate  logic.  In  the  case  of  real-time  extensions  of  such  formalisms,  the 
user  can  additionally  describe  some  time  aspects  of  the  system  behavior,  like  the 
duration  of  an  operation  or  the  time  the  system  remains  in  a  particular  state. 
Because  ordinary  predicate  logic  is  used,  the  available  toolkit  can  be  extended 
by  defining  supplementary  functions  and  predicates,  thus  leading  to  flexibility 
in  the  choice  of  the  specification  means,  cf.  [7, 11]. 

Continuous  systems  cannot  be  described  in  the  same  style,  since  their  dy¬ 
namics  is  not  expressible  by  operations;  instead,  differential  equations  are  often 
used.  These  contain  derivatives  of  state  variables.  Because  the  derivative  of  a 
function  at  a  certain  time  point  t  cannot  be  determined  if  only  the  value  of 
this  function  at  t  is  known,  the  variables  are  usually  interpreted  not  as  elements 
of  Val,  as  in  the  discrete  case,  but  as  functions  T  ->  Val  (cf.  the  topological 
approach  of  [8])  or  I  -»  Val  with  a  non-empty  interval  /  C  T  (cf.  Hybrid  Tem¬ 
poral  Logic  [6],  Hybrid  Automata  [1],  (Extended)  Duration  Calculus  [10]).  In 
most  of  these  approaches,  the  derivation  is  a  built-in  operator  that  may  be  ap¬ 
plied  only  to  system  variables  and  not  to  arbitrary  expressions  because  the  latter 
may  represent  nondifferentiable  behavior.  The  possibilities  for  enlarging  the  ex¬ 
isting  specification  means  are  very  limited,  especially  compared  with  discrete 
specification  languages.  One  of  the  reasons  for  this  restriction  is  the  difficulty  of 
guaranteeing  the  semantic  compatibility  of  the  newly  introduced  operators  with 
the  underlying  semantics  because  the  semantic  space  (often  chosen  as  the  set  of 
piecewise  differentiable  functions)  is  normally  not  closed  against  the  user-defined 
operators  (cf.  [10,  p.  18]). 

From  the  point  of  view  of  logics,  the  derivation  is  a  logical  function,  and 
equality  is  a  logical  predicate,  so  a  differential  equation  can  be  seen  as  an  or¬ 
dinary  (atomic)  logical  formula.  If  an  appropriate  interpretation  of  the  system 
variables  can  be  found  such  that  the  derivation  is  definable  as  an  ordinary  total 
logical  function  on  this  interpretation  set,  then  the  derivation  can  be  removed 
from  the  set  of  built-in  operators  of  a  specification  language  and  replaced  by  a 
conventional  user  interface,  allowing  the  definition  of  additional  logical  functions 
and  predicates.  In  doing  so,  a  substantial  advantage  with  respect  to  the  flexibil¬ 
ity  of  the  specification  language  can  be  achieved  because  additional  definitions 
are  not  only  restricted  to  derivation. 

In  this  paper,  the  Continuous  Environment-Based  Logic  (CEL)  is  presented. 
The  syntax  of  CEL  is  the  syntax  of  the  ordinary  first-order  logic.  The  main  par- 
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ticularity  is  the  special  interpretation  of  the  individual  variables  as  environment- 
based  values  from  the  semantic  space,  called  Vais-  The  state  space  of  the  system 
is  thus  equal  to  V  ->  Vais-  On  the  one  hand,  this  interpretation  allows  defini¬ 
tion  of  the  derivation,  the  limit,  the  continuity,  and  other  well-known  notions  of 
calculus  as  conventional  total  logical  functions  and  predicates  on  the  elements  of 
Vais-  As  the  semantic  space  is  closed  against  all  these  user-defined  constructs 
and  they  are  all  total,  each  syntactic  CEL-term  has  a  well-defined  semantics. 
On  the  other  hand,  continuous  systems  can  be  specified  using  CEL,  without 
explicitly  mentioning  the  time  variable  and  without  interpreting  the  variables  as 
functions  of  time,  because  the  elements  of  Vais  contain  only  local  information. 

The  paper  is  organized  as  follows.  In  Section  2,  we  introduce  the  logic  CEL, 
describing  in  particular  its  syntax,  two  different  interpretations  of  the  syntax, 
and  the  relation  between  these  interpretations.  Section  3  presents  examples  of 
user-defined  functions  and  predicates  and  illustrates  how  they  can  be  used  to 
specify  continuous  systems.  Some  concluding  remarks  are  given  in  Section  4. 

2  The  Logic  CEL 

2.1  Semantic  Space 

To  motivate  the  structure  of  the  environment-based  values,  we  consider  the  fol¬ 
lowing  problem.  Let  /:  I  4  1  be  a  function  and  t  £  1  Which  information 
about  /  is  necessary  and  sufficient  to  decide  the  following  questions:  Is  /  contin¬ 
uous  at  f?  Does  the  limit  (derivative)  of  /  at  t  exist  and,  if  so,  what  is  its  value? 
On  the  one  hand,  we  obviously  do  not  have  to  know  the  values  of  /  on  whole  R. 
On  the  other  hand,  it  is  not  enough  to  know  only  the  value  of  /  at  t,  i.e.  f(t). 
The  knowledge  of  /  in  every  e-environment  of  t  is  sufficient,  but  for  no  concrete 
e-environment  is  it  really  necessary.  So,  roughly  speaking,  we  can  represent  the 
local  behavior  of  /  around  t  by  the  collection  of  all  functions  matching  pairwise 
on  some  e-environment  of  t. 

To  formalize  this  idea,  we  define  the  set  BF:=R  -+»  Val  of  basic  functions, 
which  play  the  role  of  /  in  the  above  motivation.  Because  in  CEL  we  want  to  be 
able  to  define  limit,  derivation,  continuity,  and  other  similar  environment-based 
notions  as  total  functions  and  predicates  on  VoIe  and  because  such  functions 
do  not  always  yield  a  defined  value  when  defined  conventionally,  we  allow  basic 
functions  to  be  partial  (denoted  by  -+*).  Next,  we  define  the  equivalence  relation 
~  on  BF  x  R.  (fi ,  ti )  ~  {f2,h)  states  that  f\  and  /2  behave  equally  in  an  e- 
environment  of  t\  and  h,  respectively.  (We  use  the  syntax  of  Z  [11]  to  express 
mathematics.  <  denotes  the  domain  restriction  of  a  function,  (n,  6)  stands  for 
an  open  real- valued  interval  bounded  by  o  and  b.  R>o  denotes  the  positive  real 
numbers.  The  application  of  the  auxiliary  function  Shift  on  ( f,x )  shifts  to  the 
right  the  basic  function  f  for  the  value  of  x.) 

—  rs“'  _  I  (BF  xl)o  (BF  x  R) 

V/1,/2  :  BF;  fr,  h  :  R  •  (/i ,  fr)  ~  C/2,  fc)  & 

3s  :  R>0  •  (fr  -£,h+e)  <fi  =  Shifty  -  e,  h  +  e)  <  /2,  fr  -  fe) 
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An  environment-based,  value  is  represented  by  a  function  mapping  each  time 
point  t  £  E  to  a  set  of  all  basic  functions  matching  pairwise  on  some  e-envi¬ 
ronment  of  t  (dom /  denotes  the  domain  of  /,  P:  the  set  of  non-empty  subsets). 
We  model  the  local  behavior  by  all  functions  and  for  all  points  of  time  in  order 
to  avoid  different  representations  for  the  same  local  behavior.  An  environment- 
based  value  contains  less  information  than  a  definition  of  a  function  on  any 
nonempty  interval  and  more  than  a  conventional  point-based  value.  We  do  not 
require  any  analytical  restrictions  on  the  values  of  Val ;  throughout  this  paper 
continuous  systems  are  seen  as  the  set  of  all  systems  defined  on  a  continuous 
time  domain. 

Valg:={ev  :  R  ->  P:  BF  |  (V^,  :  R  •  V/i  :  ev(fi);  fa  :  eu(fe)  • 

(/i>*i)  ~  (h,  h)  A 

(V/  :  BF  •  (/,  h)  ~  (fuh)  =>f£  ev(h)))} 

The  auxiliary  function  CreateEnv  :  BF  xl  4  VaZe,  which  is  needed  for 
later  developments,  gets  a  basic  function  and  a  time  point  as  arguments,  and 
yields  the  environment-based  value  characterized  by  this  pair.  Formally,  it  is 
(uniquely)  defined  by 

CreateEnv(f  ,t):=(n  ev  :  Vais  \  f  €  ev(t)). 

2.2  Syntax 

As  mentioned  above,  the  syntax  of  CEL  does  not  differ  from  the  syntax  of 
ordinary  first-order  logic.  We  specify  it  for  the  sake  of  completeness. 

Definition  1  (individual  variables,  signature).  We  denote  the  (countable) 
set  of  individual  variables  by  V.  A  signature  5  is  a  triple  (Fs,  Ps,  <*s)>  where  Fs 
is  a  finite  or  countable  infinite  set  of  function  symbols ,  Ps  a  finite  or  countable 
infinite  set  of  predicate  symbols  with  Fs  n  Ps  =  0,  and  as  :  Ps  U  F$  — t  N  the 
arity  function.  A  p  €  Ps  with  as(p)  =  n  is  called  an  n-ary  predicate  symbol , 
and  an  f  £  Fs  with  off  )  =  n  an  n-ary  function  symbol.  If  a(f)  =  0,  then  we 
call  /  a  constant. 

Definition  2  (terms).  The  set  Ts  of  S -terms  over  a  signature  S  is  defined  as 
the  smallest  set  with  the  following  properties: 

-  All  individual  variables  v  G  V  are  terms. 

-  All  function  symbols  c  £  Fs  with  arity  0  are  terms. 

-  If  /  €  Fs  is  an  n-ary  function  symbol  (n  >  0)  and  t\, . . . ,  tn  are  terms,  then 
f{t\, . . . ,  tn)  is  also  a  term. 

Definition  3  (atomic  formulas).  The  set  of  atomic  formulas  AtFors  over  a 
signature  S  is  the  smallest  set  with  the  following  properties: 

1.  Every  0-ary  predicate  symbol  p  £  Ps  is  an  atomic  formula. 
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2.  If  p  £  P  (n  >  0)  is  an  n-ary  predicate  symbol  and  t\, . . . ,  tn  are  terms,  then 
p(t\ , . . . ,  tn)  is  an  atomic  formula. 

Definition  4  (formulas).  The  set  of  formulas  Fors  over  a  signature  S  is  the 
smallest  set  with  the  following  properties: 

1.  AtFors  C  Fors  (each  atomic  formula  is  a  formula). 

2.  Let  A,  B  £  Fors .  Then  (->  A),  (A  =>  B)  and  (V  v  •  A)  are  elements  of  Fors- 

The  parenthesis  may  be  omitted  according  to  the  usual  priority  rules.  We 
use  the  common  logical  abbreviations:  A  V  B  stands  for  ->  A  =>  B,  A  A  B  for 
-i  (-i  A  V  -i  B),  and  3  v  •  A  for  ->  V  v  •  ->  A. 


2.3  Environment-Based  Interpretation 

The  semantics  of  CEL  is  developed  according  to  the  same  standard  structural 
definitions  as  the  semantics  of  ordinary  first-order  logic.  The  primary  difference 
is  the  interpretation  of  individual  variables  not  on  arbitrary  carrier  sets,  but  on 
the  set  Vais-  Since  we  give  another  interpretation  to  the  same  syntax  later  (the 
so-called  function-based  interpretation,  cf.  Section  2.4),  we  mark  the  notions 
introduced  in  this  section  with  an  E.  We  denote  the  sets  Val E  — >  ValE  and 
P(  ValE)  of  n-ary  functions  and  relations  upon  ValE  for  n  £  Ni  by  and  V„, 
respectively. 

Definition  5  (E-interpretation).  Let  S'  be  a  signature.  An  E-Interpretation 
(environment-based  interpretation)  IE  is  defined  as  follows: 

1.  IE  assigns  to  each  n-ary  function  symbol  /  with  n  >  0  an  n-ary  function  on 
E- values,  i.e.  IE(j)  £ 

2.  IE  assigns  to  each  constant  c  £  Fs  an  E- value,  i.e.  IE(c)  £  ValE. 

3.  IE  assigns  to  each  n-ary  predicate  symbol  p  with  n  >  0  an  n-ary  relation 
on  E- values,  i.e.  IE(p)  € 

4.  IE  assigns  to  each  0-ary  predicate  p  one  of  the  Boolean  values  tt  or  ff. 

Definition  6  (E-evaluation  of  terms).  Let  S  be  a  signature  and  IE  an  E- 
interpretation  of  S.  For  each  E-assignment  fi  :  V  — *■  ValE,  we  define  the  function 
/3je  :  Ts  — >  ValE  as  follows: 

1.  /3je(v):=/3(v)  for  every  v  £  V 

2.  0ie(c):=Ie(c)  for  each  c  £  Fs  with  a(c)  =  0 

3.  . . ,  tn)):=IE(f)(PiB(t. i), . .  .,0iE(tn))  for  n  >  0,  /  £  Fs,  as(f)  =  n, 
t1,...,tn£Ts 

Definition  7  (E-evaluation  of  formulas).  Let  S  be  a  signature,  IE  an  E- 
interpretation  of  S,  and  0  an  E-assignment  of  V.  We  define  uiEtg  :  Fors  ~> 
(tt,  ff}  by  structural  induction  over  the  construction  of  formulas  as  follows: 
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1. 


1 1  •  ■  •  j  ^n)): — 


tt 

ff 


if  03/E(*i),...,/3/B(i„))  6  f(p) 

otherwise 


for  p  G  Ps  with  as(p)  =  n  >  0,  *i , . . . ,  tn  £  Ts 


uib,p(p):=Ie(p),  for  p  G  Ps  with  as(p)  =  0 


UlE,pA  5):=  jff 

if  uisAB)  =  ff 

if  uiEtp(B)  =  tt 

u1eAB  =>■  C)'-=  j 

f  ff 

[  tt 

if  w/*jj(B)  = 
otherwise 

tt  and  u>iEtp(C)  =  ff 

viE,p(Vv  •  B)'=  j 

’  tt 

ff 

if  for  all  ev  6 
otherwise 

ValE  LL>iEtp'»(B)  =  tt  holds 

/3yV  :  V  —¥  Valg  is  defined  as  follows: 

*•«=-{  «5  5:; 


Definition  8  (E- validity  of  formulas).  Let  5  be  a  signature  and  IE  an  E- 
interpretation  of  S.  The  partial  function  ujE  :  Fors  -+►  {tt,  fF}  is  defined  as 
follows: 


w/b04):= 


tt 

ff 

undefined 


if  for  all  P  :  V  -*■  Vale  ujEtp(A)  =  tt  holds 
if  for  all  /?  :  V  ->  ValE  u)lE<p(A)  =  ff  holds 
otherwise 


2.4  Function-Based  Interpretation 

The  elements  of  ValE  have  a  rather  complex  structure,  thus  it  would  be  very 
awkward  to  define  all  the  functions  and  predicates  the  user  may  need  for  the 
specification  of  continuous  behavior  on  the  set  ValE.  The  function-based  inter¬ 
pretation  presented  in  this  section  interprets  the  individual  variables  of  CEL  on 
basic  functions.  The  function  symbols  are  interpreted  not  as  arbitrary  functions 
/  :  BF"  — >  BF,  but  as  admitted  functions  which  preserve  (~n  is  the  ex¬ 
tension  of  ~  to  n-dimensional  vectors  of  functions).  The  predicate  symbols  are 
interpreted  as  admitted  predicates,  defined  as  subsets  of  BF"  x  M  which  are  closed 
against  ~n.  All  these  structures  are  much  more  familiar  to  the  user,  compared 
with  their  E-based  counterparts. 

The  result  of  an  F-evaluation  of  a  formula  depends  not  only  on  the  interpre¬ 
tation  Ip  and  an  assignment  (3,  but  —  unlike  E-interpretations  —  also  on  the 
current  time  point  t.  A  formula  is  F- valid  if  it  evaluates  to  true  for  all  interpreta¬ 
tions,  assignments,  and  time  points.  Thus,  compared  with  an  E-interpretation, 
an  F-interpretation  is  more  intuitive  but  less  abstract  because  of  the  explicit 
dependence  on  time.  In  Section  2.5,  it  will  be  shown  that,  under  some  circum¬ 
stances,  the  E- validity  and  the  F- validity  are  equivalent. 
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Definition  9  (admitted  functions  and  predicates).  The  families  of  admit¬ 
ted  functions  (Af  \  n  6  Ni )  and  admitted  predicates  |  n  €  Ni )  are  defined 
as  follows: 

-  F%:={F  :  BF"  ->  BF  | 

V/i,/2  :  BF";  tlt  fc  :  R  .  (A,^)  (/2,  h)  =>  (F(A),  h)  ~  (P(/2),  t2)} 

-  P^:={P  :  P(BFn  x  M)  | 

V/i,/2  :  BF”; 

(Ml)  £  F  A  (/i,  ti)  ~n  (/2,  fe)  =>  (/2,  h)  €  P} 

It  can  be  shown  that  the  family  of  admitted  functions  is  closed  against  com¬ 
position.  More  precisely,  if  F  £  and  G  £  then  for  each  hi  :  BFn+m_1  -» 
BF  ( I  <  n )  defined  by 

^i(/l  i  ■  ■  ■  j  fn+m— l)- — P(/l  j  •  ■  •  j/i— 1 1  i),  i  ■  •  •  ;  /n+m— l); 

hi  €  Fff+m_1  holds.  Moreover,  it  can  be  shown  that  the  sets  of  admitted 
predicates  are  closed  against  union,  intersection,  and  complement. 

Definition  10  (F- interpretation).  Let  S  =  ( Fs,Ps,»s )  be  a  signature.  An 
F -interpretation  (function-based  interpretation)  Ip  has  the  following  properties: 

1.  Ip  assigns  to  each  n-ary  function  symbol  /  with  n  >  0  an  n-ary  admitted 
function,  i.e.  Ip(f)  €  Fjf. 

2.  Ip  assigns  to  each  constant  c  £  Fs  a  constant  basic  function  i>(c)  £  BF. 

3.  Ip  assigns  to  each  n-ary  predicate  symbol  p  with  n  >  0  an  n-ary  admitted 
relation,  i.e.  Ip(p)  €  V%. 

4.  Ip  assigns  to  each  0-ary  predicate  symbol  p  one  of  the  two  Boolean  values 
tt  or  ff. 


Definition  11  (F-evaluation  of  terms).  Let  S  be  a  signature  and  Ip  an  F- 
interpretation  of  S.  For  every  F-assignment  /3  :  V  -4  BF  we  define  the  function 
PiF  :  Ts  -4  BF  as  follows: 

1.  /3if(v):=/3(v)  for  all  v  €  V 

2.  j3iF{c)\=Ip{c)  for  all  c  €  Fs,  as(c)  =  0 

3-  PiF(f{ti,...,tn))\=Ip{f){(3iF{ti),...,l3iF{tn))  for  n  >  0,/  £  Fs,  as(f )  =  n, 

ti  j  ■  •  • ,  tn  €  Ts 

Definition  12  (F-evaluation  of  formulas).  Let  S  be  a  signature,  Ip  an  F- 
interpretation  of  S,  /3  an  F-assignment  of  V,  and  f  £  I.  We  define  0JiF,p,t  '■ 
Fors  -4  {tt,ff}  by  structural  definition  over  the  construction  of  formulas  as 
follows: 


1. 


. . ,  Tn)):—  | 
for  p  €  Ps  with  as  (p)  =  n  >  0,  Ti, 


tt 

ff 


if  ((PiF (T1),...,0lF(Tn)),t)€  I{p) 
otherwise 

..,Tne  Ts 


uif,pAp):=If(p)  for  p  6  Ps  with  as(p)  =  0 
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2. 

3. 


VlF,0,t(~'  B):  = 


tt 

ff 


if  LJlFt/3ti(B)  =  ff 

if  viF,l3,t(B)  ~  tt; 


^lF,ptt(,B  C): — 


ff 

tt 


if  u>iF,0,t(B)  -  u  and  uiF,p,t(C)  =  ff 
otherwise 


4. 


if  for  all  bf  £  BF  uJf  ^  t(B)  =  tt  holds 
otherwise 


fibJ  :  V  ->  BF  is  defined  as  follows: 


PbJ  (*)■■= 


if  x  =  v 
if  X  7^  v 


Definition  13  (F- validity  of  formulas).  Let  S  be  a  signature  and  If  an  F- 
interpretation  of  S.  The  partial  function  u>jF  :  Fors  -+»  {tt,  fF}  is  defined  as 
follows: 


tt 


uiMY=<  ff 


[  undefined 


if  for  all  p  :  V  — »■  BF  and 

for  all  t  £  R  wiF,0,t(A)  =  tt  holds 
if  for  all  p  :  V  -*•  BF  and 

for  all  t  £  R  ujjFt0tt(A)  =  ff  holds 

otherwise 


2.5  Relation  Between  E-Interpretations  and  F-Interpretations 

As  mentioned  above,  under  special  circumstances  the  E-validity  and  the  F- 
validity  coincide.  In  this  section,  we  define  the  notion  of  compatible  interpre¬ 
tations  and  show  that  under  such  interpretations  this  assertion  is  true.  Before 
doing  this  we  define  the  lifting  operators,  which  allow  the  definition  of  logical 
constructs  using  basic  functions  BF  instead  of  Vais,  thus  switching  from  a  com¬ 
plex  to  a  much  simpler  structure.  These  BF-definitions  can  then  be  implicitly 
lifted  to  Vais- 

The  operators  LF£  and  LP£,  defined  below,  lift  point-based  functions  and 
predicates  defined  on  M,  like  +,  — ,  •,  <,  <  etc.,  to  (admitted)  functions  and 
predicates  on  basic  functions  (cf.  the  upper  part  of  the  diagram  in  Fig.  1). 

Definition  14  (lifting  of  point-based  functions  and  predicates).  We  de¬ 
fine  the  families  of  lifting  operators  for  point-based  functions  (LF£  |  n  £  Ni ) 
and  predicates  (LP£  |  n  £  Ni )  as  follows: 

-  LF£  :  (Valn  -+»  Val)  ->  T* 

V F  :  {Valn  Val)]  f  :  BFn  •  LF£(F)(/)  = 

•••,/»(*)))  |  t  £  nr=i  dom/i  A  (AW.- ••>/«(*))  €  domF} 

-  LPP  :P {Valn)^V£ 

VP  :  f(Valn)  •  LPP(P)  = 

{((A,  •••>/»),*)  I  t  £  niUdom/*  A  (fi(t),...,fn(t))  £  P} 
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Point-Based: 

Valn  Val 

P  (Valn) 

LF£ 

| 

LPn 

1 

i 

Function-Based: 

Tl  C  BFn  ->•  BF 

1 

vl  c  P(BF”  x  R) 

1 

LFn 

1 

LP„ 

* 

t 

Environment-Based: 

En  =  Val%  ->  Vais 

V*=nValnE) 

Figurel.  Effect  of  the  lifting  operators 


The  operators  LFn  and  LP„  lift  admitted  functions  and  predicates  defined 
on  basic  functions  to  functions  and  predicates  defined  on  ValE  (cf.  the  lower  part 
of  the  diagram  in  Fig.  1). 

Definition  15  (lifting  operators).  We  define  the  families  of  lifting  operators 
for  functions  (LF„  |  n  £  Ni)  and  predicates  (LP„  |  n  £  Ni )  by  the  following 
axioms  (the  function  CreateEnvn  is  the  extension  of  CreateEnv  (cf.  Sec.  2.1)  to 
the  n-dimensional  vectors  of  functions): 

-  LFn  :  T*  ->  T* 

V  F  :  E„  ;  /  :  BF";  t :  R  •  LFn  (F)  ( CreateEnvn  (/,  t))  =  CreateEnv  (F(f),  t ) 

-  LPn  :  "P,f  — ►  V® 

V P  :  ;  /  :  BFn;  t :  R  •  (/,  t)  £  P  &  CreateEnvn{f ,  t)  £  LP„(p) 

It  can  be  shown  that  LF„  and  LPn  are  well-defined  [4]. 

Definition  16  (compatible  interpretations).  Let  S  be  a  signature,  Ip  an 
F-interpretation  of  S,  and  Ie  an  E-interpretation  of  S.  We  say  If  and  Ie  axe 
compatible  if  the  following  holds: 

1.  For  all  c  €  Fs  with  as(c )  =  0  /j?(c)  £  /®(c)(t)  for  all  t  £  M 

2.  For  all  /  £  Fs  with  as(f )  =  n  >  0  IE(f)  =  LF„(7f(/)) 

3.  For  all  p  €  Ps  with  as(p)  =  0  Ie(p)  =  If(p ) 

4.  For  all  p  £  Ps  with  as(p)  =  n  >  0  Ie(p)  =  LP„(7f(p)) 

The  definition  states  that  a  0-ary  function  symbol  c  is  mapped  by  IE  on  an 
E- value  that  represents  the  constant  behavior  of  the  function  7f(c).  For  each  F- 
interpretation  there  exists  (exactly)  one  compatible  E-interpretation.  The  reverse 
is  not  true,  because  an  E-interpretation  can  assign  to  0-ary  function  symbols  E- 
values,  which  does  not  constitute  constant  behavior.  Therefore,  there  are  more 
E-interpretations  than  F-interpretations. 

The  lifting  operators  LFn  and  LPn  allow  the  definition  of  logical  E-constructs 
in  the  straightforward  manner.  But  so  far  there  is  no  guarantee  that  the  meaning 
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of  E-constructs  defined  in  this  way  is  preserved  by  the  lifting  operators.  Hence, 
we  cannot  execute  the  usual  logical  tasks,  like  formula  manipulation  or  deduc¬ 
tion,  in  E-interpreted  CEL  with  the  F-meaning  of  the  constructs  in  mind.  The 
following  theorem  shows  that,  under  compatible  interpretations,  the  F-validity 
and  the  E- validity  are  equivalent,  thus  proving  the  correctness  of  using  lifted  F- 
constructs  in  E-interpretations  (we  need  both  claims  because  lojf  and  wjE  may 
be  undefined  (cf.  Def.  13  and  8)). 

Theorem  17.  Let  S  be  a  signature,  Ip  an  F -interpretation  of  S,  Ie  an  E- 
interpretation  of  S  that  is  compatible  with  Ip,  and  A  an  S -formula.  Then,  the 
following  holds: 

1.  uIp(A)  =  tt  if  and  only  if  ujie(A)  =  tt 

2.  uJf(A)  =  ff  if  and  only  if  cjje(A)  =  ff 

Proof  (sketch) 

1.  Let  /?',/?"  be  F-assignments  of  V,  T  £  Ts  a  term,  and  t',t"  £  JL  Using 
structural  induction,  it  can  be  proved  that  ~  distributes  through  terms  and 
formulas  under  F-interpretations: 

(a)  (v»:  u.(/3>),to~(w,n)^(^(r),o~(^;(r),n 

(b)  (V  v  :  V  •  (/3'(v),  t')  ~  (/ 3"(v),t "))  =>  <jIPt0i)t,(A)  =  uiP,p»,t»(A) 

With  these  results,  it  can  be  shown  that,  if  a  formula  F-evaluates  to  true  for 
one  fixed  time  point  and  for  all  F-assignments,  then  this  formula  is  F-valid: 

(3  f :  K  •  V/3  :  V  BF  •  u>iFtp}t(A)  =  tt)  u>if(A)  =  tt 

The  analogous  result  holds  for  wrong  formulas. 

2.  Let  (3  be  an  F-assignment  of  V,  T  £  Ts  a  term,  and  t  £  K.  /J4  :  V  -» 
VoIe  denotes  the  E-assignment  corresponding  to  (3  and  t.  It  is  defined  by 
/?4(t;):=  CreateEnv(/3(v),  t).  The  relation  between  corresponding  assignments 
under  compatible  interpretations  regarding  terms  and  formulas  is  expressed 
by  the  following  two  facts,  which  can  be  proved  by  structural  induction  over 
the  construction  of  terms  and  formulas,  respectively: 

(a)  CreateEnv ((3If (T),  t)  =  0jE(T) 

(b)  uiF,p,t(A)  =  wiE£t(A) 

3.  With  the  results  from  1.  and  2.,  the  assertions  of  the  theorem  can  be  proved 
in  a  few  steps. 

3  Specification  Examples 

In  this  section,  we  illustrate  how  the  logic  CEL  can  be  used  to  describe  continuous 
systems.  As  CEL  does  not  contain  any  built-in  functions  and  predicates,  we  must 
first  introduce  the  required  concepts.  This  is  done  in  Section  3.1.  In  Section 
3.2,  these  concepts  are  employed  to  specify  two  small  continuous  systems  using 
the  syntax  of  ZimOO  [4],  an  object-oriented  specification  language  for  hybrid 
systems  whose  semantics  is  based  on  CEL. 
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3.1  User-Defined  Concepts 

When  specifying  continuous  systems  with  CEL,  the  E-interpretation  is  assumed 
because  it  is  much  more  abstract  compared  with  the  F-interpretation.  However, 
it  would  be  very  awkward  to  define  all  the  functions  and  predicates  the  user 
may  need  directly  on  the  set  VoIe ■  Fortunately,  admitted  functions  and 
predicates  (cf.  Def.  9),  together  with  the  lifting  operators  LF„  and  LP„  (cf. 
Def.  15),  provide  a  sound  interface  to  the  E-interpretation  of  CEL.  Thus,  we  are 
allowed  to  specify  the  required  logical  constructs  as  elements  of  or  in  an 
intuitively  comprehensive  manner.  When  used  in  the  specifications  of  continuous 
systems,  these  functions  and  predicates  are  implicitly  lifted  to  elements  of  J-®  or 
Vn  ,  respectively.  Theorem  17  ensures  that  the  intuitive  meaning  is  not  violated. 
Here,  we  use  the  syntax  of  Z  instead  of  conventional  mathematics  to  introduce 
logical  constructs. 

Functions  and  Predicates  The  construct  introduced  first  is  the  unary  pred¬ 
icate  5p  which  characterizes  points  with  defined  local  behavior  (==  is  the  def¬ 
inition  symbol),  const  describes  constant  local  behavior.  It  is  obvious  that  8p 
and  const  are  admitted  predicates.  Thus,  their  liftings  can  be  used  in  continuous 
specifications. 

==  {/  :  BF;  t :  R  |  t  €  dom /} 

const _  ==  {/  :  BF;  t :  R  |  (3e  :  R>o;  v  :  Val  •  (Z  -  e,  t  +  e)  C  dom /  A 

ran((Z  -  e,  t  +  e)  <  /)  =  {«})} 

The  next  three  functions  define  the  limit  from  the  left,  the  limit  from  the 
right,  and  the  “ordinary”  limit.  As  the  set  Val  must  meet  certain  requirements 
to  allow  the  definition  of  limit  (it  should  be  at  least  a  metric  space),  we  interpret 
Val  henceforth  as  the  set  of  real  numbers.  In  the  definition,  we  use  the  type  seqTO 
and  the  function  limSeq,  which  are  not  defined  here.  They  denote  the  type  of 
infinite  sequences  and  the  limit  of  sequences,  respectively.  We  consider  a  function 
to  be  a  set  of  pairs  —  a  view  familiar  to  Z  users.  It  can  easily  be  proved  that  all 
the  three  limits  are  admitted  functions. 

BF  ->  BF 

V/  :  BF  • 

/  =  {x,  Z :  R  |  (let  SEC  ==  seqoc{t :  dom /  |  t  <  x}  • 

(3  s  :  SEC  •  limseq  s  =  x)  A 

(V  s  :  SEC  •  limseq  s  =  x  =>•  limseq(A  n  :  Ni  •  f(s  n))  =  Z))} 

/  =  {z,  Z :  R  |  (let  SEC  ==  seq^jZ  :  dom /  |  t  >  x}  • 

(3  s  :  SEC  •  limseq  s  =  x)  A 

(V  s  :  SEC  •  limseq  s  =  x  =$■  limseq(A  n  :  Ni  •  f(s  n ))  =  Z))} 

— +  ■(— 

f  =  f  nf 
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The  admitted  unary  predicates  C  and  C  characterize  local  behavior  with 
existing  limit  from  the  left  or  from  the  right,  respectively.  The  unary  predicates 
C,  C,  and  C  describe  local  behavior  that  is  continuous  from  the  left,  continuous 
from  the  right,  and  (merely)  continuous,  respectively. 


l_  ==  {/  :  BF;  t 
£_  ==  {/  :  BF;  t 

C _  ==  {/  :  BF;  t 
C_  ==  {{  :  BF;  t 

c_  ==  cnc 


t  6  dom  /  } 
t  e  dom  /  } 

t  e  dom /  A  t  £  dom  /  A  /  (t)  =  f(t)} 
t  €  dom /  Ate  dom  /  A  f  (t)  =  f(t)} 


The  notion  of  limit  can  now  be  used  to  define  the  derivation  operator.  It  is 
a  total  function,  so  it  can  be  proved  that  it  is  an  admitted  one. 


1 :  BF  -»  BF 


V/  :  BF  • 

/  =  {t,  d  :  R  |  (let  DQ==  {h,  w  :  R  |  h  ^  0  A  {t,  t  +  h}  C.  dom /  A 

+ _  w=jj(t  +  h)  -  f(t))/h} 

•  0  e  dom  DQ  A  DQ( 0)  =  d )} 

The  unary  predicate  V  describes  differentiable  local  behavior. 

XL  ==  {/  :  BF;  t :  E  |  t  e  dom/} 

The  admitted  binary  predicate  =co  states  that,  if  the  local  behavior  rep¬ 
resented  by  the  right-hand  side  of  =co  is  continuous,  then  the  left-hand  side 
describes  defined  local  behavior.  =co  is  not  common  in  conventional  analysis, 
but  it  has  proved  very  helpful  when  specifications  contain  explicit  differential 
equations  because  =c0  can  manage  discontinuities  in  the  right-hand  side  of  the 
equation. 


=co-  P((BF  x  BF)  x  M) 

V/1,/2  :  BF;  t:R. 

((/i,/2),t)  €  — —  co  ^  ASP{f2,t)  A  f^t)  =/2(0)  V->C(/2,f) 


Data  Types  Data  types  are  subsets  of  ValE  which  constitute  total  local  behav¬ 
ior.  They  can  be  defined  using  unary  admitted  predicates. 

First,  we  define  the  auxiliary  operator  EnvPoint  which  takes  a  unary  predi¬ 
cate  pr  as  its  argument  and  yields  another  unary  predicate.  A  pair  (/,  t)  fulfills 
this  resulting  predicate  if  and  only  if  a  neighborhood  of  t  exists  such  that,  for 
every  t'  from  this  neighborhood,  (/,£')  fulfills  the  original  predicate  pr.  Note, 
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that  (/,  t)  is  not  required  to  fulfill  pr.  EnvPoint  maps  admitted  predicates  to 
admitted  ones. 

EnvPoint :  P(BF  xl)q  P(BF  x  E) 

V  pr  :  P(BF  x  E)  • 

EnvPoint  pr  =  {/  :  BF;  t :  E  | 

-i  3  T  :  seq00(E  \  {£})  •  limseq  T  =t  A 

(V  i  :  dom  T  •  (/,  T  i)  g  pr)} 


The  most  general  data  type  BASIC  contains  all  total  local  behaviors. 
BASIC  ==  5p-Pi  EnvPoint(6pJ) 

The  following  definition  introduces  the  data  types  used  in  the  specifications 
in  Section  3.2.  LIM  denotes  the  total  local  behaviors  with  existing  limits  from 
the  left  and  the  right.  The  frequently  used  data  type  SEM  characterizes  piece- 
wise  differentiable  local  behavior,  i.e.  local  behavior  without  accumulation  of 
nondifferentiable  points.  CONT  and  DIFF  denote  continuous  and  differentiable 
behavior,  respectively.  The  data  type  CONST  describes  the  constant  behav¬ 
ior.  STEP  models  step  functions  defined  on  a  continuous  time  domain.  Finally, 
CLOCK  describes  differentiable  local  behavior  with  the  gradient  1. 

LIM  ==  BASIC  n  n  £_ 

SEM  ==  LIM  fl  EnvPoint(T>-) 

CONT  ==  SEM  fl  C- 

DIFF  ==  SEM  n  XL 

CONST  ==  BASIC  n  const - 

STEP  ==  BASIC  fl  EnvPoint  ( const  A)  n  (C- U  C_) 

CLOCK  ==  {/  :  BF;  t :  R  |  (/,  t)  €  DIFF  A  }{t)  =  1} 


3.2  Examples  of  Continuous  Systems 

As  mentioned  above,  the  logic  CEL  was  used  to  describe  the  semantics  of  the 
continuous  classes  of  ZimOO  [4],  an  object-oriented  specification  language  for 
hybrid  systems.  ZimOO  is  based  on  Object-Z  [3],  an  object-oriented  extension  of 
Z  [11].  It  extends  Object-Z,  allowing  descriptions  of  the  discrete  and  continuous 
features  of  a  system  in  a  common  formalism.  ZimOO  supports  three  different 
kinds  of  classes:  discrete,  continuous,  and  hybrid.  We  use  the  syntax  of  the 
continuous  ZimOO  classes  to  give  some  examples  of  CEL-specifications. 

Axioms  are  used  to  specify  the  state  space  of  continuous  ZimOO  classes. 
They  are  formulated  using  the  syntax  of  first-order  logic  and  interpreted  as 
CEL-formulas,  the  E-interpretation  being  assumed.  There  axe  no  built-in  logical 
functions  or  predicates  in  the  kernel  of  ZimOO.  Instead,  we  use  the  functions 
and  predicates  defined  in  the  previous  subsection  (as  justified  at  the  beginning 
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of  Section  3.1,  the  functions  and  predicates  defined  there  may  be  used  in  E- 
interpreted  CEL-formulas  and  therefore  in  ZimOO  classes).  Additionally,  we  use 
the  common  point-based  functions  and  predicates  defined  on  reals  like  +,  — ,  <, 
etc.  They  can  all  be  lifted  to  or  by  the  composition  of  LF£  and  LF„  or 
by  the  composition  of  LP£  and  LPn,  respectively.  In  particular,  the  equality  on 
reals  is  lifted  to  ■  Note  that,  consequently,  we  use  a  point-based  equality  which 
depends  only  on  the  current  real  value  of  the  expressions  involved,  neglecting 
their  local  environments. 

Cat  and  Mouse  The  cat-and-mouse-problem  [9]  is  a  simple  benchmark  from 
the  area  of  real-time  and  hybrid  systems.  We  specify  it  here  to  demonstrate  the 
description  possibilities  of  languages  based  on  CEL  (cf.  the  class  CatAndMouse). 
The  example  deals  with  a  cat  trying  to  catch  a  mouse,  which  in  turn  attempts 
to  escape  into  a  hole.  The  problem  is  one- dimensional,  i.e.  the  cat,  the  mouse, 
and  the  hole  are  on  a  straight  line,  the  cat  and  mouse  moving  along  this  line. 
Initially,  the  mouse,  which  is  located  between  the  cat  and  the  hole  at  distance 
mo  from  the  hole,  starts  running  towards  the  hole  at  a  constant  velocity  vm.  tc 
time  units  later,  the  cat,  which  is  positioned  at  Co,  starts  chasing  the  mouse  at 
the  constant  velocity  vc.  All  these  constants  are  declared  as  real  numbers  in  the 
axiomatic  schema  of  CatAndMouse. 

CatAndMouse _ 

mo,  Co  :  M>o 
vc  '■  M<o 
tc  :  M>o 

mo  <  co 


t  :  CLOCK  ' 

xm,xc  :  CO  NT 
res  :  STEP 

INIT 

res  =  1  V  res  =  2 

t  =  0 

' 

-i  C  res  <=>  xm  =  xc  >  0 

xm  =  mo 

xm  —co  if  res  =  1  then  vm  else  xc 

Xc  =  Co 

xc  —co  if  t  >  tc  V  xc  >  0  then  vc  else  0 
^  j 

res  =  1 

V 

\ _ ) 

The  state  space  and  the  dynamics  of  the  system  are  described  in  the  state 
schema  of  CatAndMouse.  As  the  example  contains  an  explicit  delay,  we  need 
a  clock  variable  t.  The  current  positions  of  the  mouse  and  the  cat  are  denoted 
by  the  variables  xm  and  xc,  respectively.  The  result  of  the  “race”  is  encoded  in 
the  variable  res.  res  =  1  means  the  mouse  wins,  res  =  2  means  the  cat  is  the 
winner.  When  the  constants  tc,  mo,  1,  2  etc.  are  used  in  the  state  schema,  their 
values  are  implicitly  lifted  to  Vais,  i.e.  to  CONST.  The  second  axiom  states 
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that  the  value  of  res,  which  initially  equals  1,  can  change  if  and  only  if  the  cat 
overtakes  the  mouse  before  it  disappears  into  the  hole.  The  last  two  axioms  can 
be  interpreted  as  differential  equations  describing  the  movement  of  the  mouse 
and  the  cat.  Depending  on  the  value  of  res,  xm  behaves  according  to  xm  =  vm  or 
xm  =  xc.  —co  ensures  that  if  res  does  not  jump  and  xc  represents  defined  local 
behavior,  then  the  derivative  of  xm  exists  and  fulfills  one  of  the  two  differential 
equations.  In  jump  points  of  res  and  in  points  where  xc  is  not  differentiable,  the 
value  of  xm  is  uniquely  determined  by  the  continuity  of  xm. 

Billiards  As  a  further  example,  we  specify  the  billiards  game  from  [2],  The 
billiard  table  is  assumed  to  have  the  length  L  and  the  width  W.  Friction  is 
neglected,  i.e.  we  assume  the  absolute  values  of  the  ball  velocities  vx  and  vy  in  the 
x-  and  ^-directions  to  be  constant.  The  current  position  of  the  ball  is  described 
by  the  pair  (x,y),  the  velocity  directions  by  dx  and  dy;  the  current  velocity  is 
therefore  given  by  (dx  ■  vx,  dy  ■  vy).  The  first  implication  in  the  state  schema 
states  that  the  x-velocity  vx  may  only  change  its  direction  dx  if  a  collision  with 
one  of  the  ^-borders  occurs.  The  third  implication  ensures  that  such  a  change 
takes  place  when  an  z-border  is  reached.  The  second  and  the  fourth  implications 
describe  the  same  facts  for  the  ^-direction. 

Note  the  use  of  the  limit  operators  in  the  last  two  implications.  They  can 
be  applied  not  only  to  individual  variables  but  also  to  expressions  because  the 
(lifted)  multiplication  operator  is  total  on  Vais  x  Vale,  thus  yielding  a  proper 
element  of  Vais  which  can  be  further  processed  by  the  limit  operators. 

Billiards _ 

j  L,  W,  vx,vy  :  R>0 

[  x,  y  :  CONT 
dx,dy  :  STEP 

(4  =  -1  V  dx  =  1)  A  ( dy  =  -1  V  dy  =  1) 
x  — co  dx  '  vx 

y  - CO  dy  *  Vy 

-i  C  dx=>x  =  0Vx  =  L 
-iC  dy=^y  =  0Vy  =  W 

x  =  0  V  x  =  L  =?  dx  ■  vx  =  —dx  ■  vx 

< -  - > 

y  =  0Vy  =  W  =>  dy  ■  Vy  =  -dy  ■  Vy 

v _ _ _ J 


IN  IT _ 

0  <  x  <  L 
0  <  y  <  W 
dx  —  dy  ~~  1 


4  Conclusion 

The  paper  describes  the  Continuous  Environment-Based  Logic  (CEL)  and  pro¬ 
poses  its  use  for  the  specification  of  continuous  components  of  hybrid  systems. 
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The  syntax  of  CEL  is  the  syntax  of  first-order  logic.  The  semantic  particularity 
is  the  interpretation  of  variables  on  the  set  Vo,Ie  of  environment-based  values. 
The  elements  of  ValE  contain  less  information  than  any  nonempty  interval  of  a 
behavioral  function,  but  more  than  a  conventional  point-based  value,  lying  more 
or  less  in  between.  Because  of  this  choice  of  the  semantic  space,  the  derivation 
and  other  environment-based  constructs  can  be  defined  directly  on  E- values,  and 
the  interpretation  of  the  variables  as  functions  can  be  avoided.  The  definition 
of  additional  logical  constructs  can  be  performed  in  a  comprehensively  intuitive 
manner  with  explicit  access  to  the  time  variable.  The  lifting  operators  translate 
these  constructs  implicitly  into  the  semantics  of  CEL.  It  has  been  shown  that  for 
compatible  interpretations  the  meaning  of  the  constructs  is  preserved.  CEL  has 
been  used  for  the  semantics  definitions  of  an  object-oriented  specification  lan¬ 
guage  for  hybrid  systems.  In  general,  it  can  be  very  useful  for  formal  semantics 
definition  of  object-oriented  simulation  languages  for  dynamic  systems. 
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Abstract  This  paper  describes  three  techniques  for  reachability  analy¬ 
sis  for  systems  modeled  by  ordinary  differential  equations  (ODEs).  First, 
linear  models  with  regions  modeled  by  convex  polyhedra  are  considered, 
and  an  exact  algorithm  is  presented.  Next,  non-convex  polyhedra  are  con¬ 
sidered,  and  techniques  are  presented  for  representing  a  polyhedron  by  its 
projection  onto  two-dimensional  subspaces.  This  approach  yields  a  compact 
representation,  and  allows  efficient  algorithms  from  computational  geome¬ 
try  to  be  employed.  Within  this  context,  an  approximation  technique  for 
reducing  non-linear  ODE  models  to  linear  nonhomogeneous  models  is  pre¬ 
sented.  This  reduction  provides  a  sound  basis  for  applying  methods  for 
linear  systems  analysis  to  non-linear  systems. 


1  Introduction 

We  are  interested  in  verifying  that  circuits,  as  modeled  by  systems  of  non¬ 
linear  ordinary  differential  equations  (ODE’s),  correctly  implement  discrete 
specifications.  Challenging  verification  problems  arise  when  VLSI  designers 
use  methods  such  as  precharged  logic,  single-phase  clocking,  and  sense-amp 
based  techniques  that  depend  on  the  analog  properties  of  the  circuits  to 
obtain  better  performance.  In  current  practice,  design  validation  relies  heavily 
on  simulation  tools  such  as  SPICE  [Nag75].  However,  even  the  best  model 
is  only  approximate,  and  each  simulation  run  can  only  consider  a  particular 
set  of  functions  as  inputs  to  the  circuit  and  a  particular  set  of  values  for 
model  parameters.  To  obtain  a  reasonable  level  of  confidence  in  a  design,  a 
large  number  simulations  must  be  run.  This  process  can  be  extremely  time 
consuming;  yet,  in  the  end,  simulation  can  not  prove  the  correctness  of  a 
design. 

Recently,  we  have  been  exploring  an  alternative  approach  to  the  problem 
of  circuit-level  design  verification,  based  on  ideas  from  dynamical  systems  the¬ 
ory.  Correctness  criteria  for  a  circuit  can  be  formulated  in  a  logic  which  has 
meaning  in  both  continuous  and  discrete  domains.  Rather  than  considering 
individual  simulation  runs,  correctness  criteria  become  topological  properties 
in  the  continuous  domain  that  must  hold  for  an  invariant  set  that  contains  all 
possible  trajectories  of  the  ODE  model.  To  establish  these  invariants,  we  con¬ 
struct  regions  such  that  all  trajectories  on  the  boundaries  flow  inward  [GM97]. 
For  simple  models  these  regions  can  be  constructed  manually,  but  for  models 


160 


arising  in  real  circuits  more  automated  methods  are  required.  In  [Gre96],  we 
showed  how  these  invariant  sets  can  be  constructed  by  reachability  analysis 
using  numerical  integration. 

An  important  advantage  of  our  approach  is  that  our  analysis  is  based 
on  ODE  models  similar  to  those  that  are  used  for  industrial  circuit  simu¬ 
lation.  Thus,  our  results  are  comparable  with  those  obtained  by  traditional 
simulations — by  speaking  the  same  language  as  circuit  designers,  we  encour¬ 
age  interaction  with  the  eventual  users  of  our  techniques.  Furthermore,  con¬ 
siderable  effort  continues  to  be  invested  in  developing  accurate  models  for 
current  fabrication  processes.  By  using  ODE  models  as  the  basis  of  our  work, 
we  can  exploit  these  advances  directly. 

Two  contributions  are  made  by  this  paper.  First,  we  describe  an  effi¬ 
cient  way  of  representing  non-convex  high  dimensional  polyhedra  using  two- 
dimensional  projections.  This  representation  is  by  no  means  universal;  how¬ 
ever,  it  has  shown  promising  results  for  a  small  number  of  circuits  that  we 
have  analysed.  Second,  we  show  an  integration  based  approach  for  computing 
reachability  between  regions  represented  using  projections.  Although  we  use 
floating  point  arithmetic  in  our  implementation  to  obtain  acceptable  perfor¬ 
mance;  in  principle,  the  same  techniques  could  be  implemented  with  rational 
arithmetic  and  conservative  rounding  to  create  a  strictly  conservative  imple¬ 
mentation  of  the  algorithm.  The  theoretic  aspects  of  these  contributions  are 
contained  in  section  3.  Preceding  that  section  is  a  description  of  our  models. 


2  Models 


In  this  section  we  show  how  to  construct  ODE  models  for  our  analysis.  Sec¬ 
tion  2.1  describes  the  construction  of  models  for  MOS  circuits.  These  cir¬ 
cuits  require  inputs,  and  we  typically  wish  to  verify  a  circuit  for  all  legal 
inputs.  Readers  familiar  with  circuit  modeling  may  wish  to  skip  directly  to 
section  2.2,  which  describes  Brockett’s  annulus  construction  and  shows  how 
it  can  be  used  to  model  inputs  to  our  circuits. 


2.1  Circuit  Models 


We  model  MOS  circuits  as  a  collection  of  voltage  controlled  current  sources 
and  (linear)  capacitors.  A  voltage  controlled  current  source  defines  a  relation¬ 
ship  between  the  voltages  on  its  terminals  and  the  currents  flowing  into  those 
terminals.  By  convention,  current  is  the  flow  of  “positive  charges,”  and  a  flow 
of  electrons  into  the  device  is  represented  by  a  negative  current.  Consider  the 
device  depicted  below: 
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The  device  U  is  connected  to  three  nodes,  a,  b,  and  c.  The  voltage  Va  denotes 
the  voltage  at  node  a,  and  likewise  for  Vfc  and  Vc.  We  write  Vija  to  denote 
Vb  —  Va  and  likewise  for  Vcb-  The  current  ia  denotes  the  current  flowing  into 
device  U  through  node  a.  If  U  is  a  voltage  controlled  current  source,  then  ia 
is  a  function  of  the  voltages  Va,  Vb  and  Vc.  We  write  ia  =  Ua(Va,  Vb,  Vc). 

More  generally,  let  V  denote  the  vector  of  node  voltages  in  the  circuit, 
and  let  iu  denote  the  vector  of  currents  flowing  into  U  through  each  node  of 
the  circuit.  We  write 


iu  =  Iu(V)  (1) 

For  example,  an  n-channel  MOSFET  can  be  modeled  as  a  three  terminal, 
voltage  controlled  current  source.  The  three  terminals  are  the  gate,  g,  the 
source,  s,  and  the  drain,  d.  A  simple  model  (see  [GD85],  equations  2.85  - 
2.87)  is 

ig(V9,Vs,Vd)  =  0 

id(Vg,  Vs,  Vi)  =  0,  if  Vi,  >  0  k  Vgs  <  V, 

=  G(Vgs  -  vtf ,  if  Vds>0k  Vis  >vgs-vt>0  .. 

=  GVd,(2(Vg,  -  Vt)  -  V^),  if  Vd3  >  0  and  Vgt  -  V,  >  Vds  >  0  ^ 
=  -id(Vg,Vd,Vs),  ifVd3<0 

is(Vg,V3,Vd)  =  id 

where  Vt  is  the  “threshold  voltage”  of  the  transistor,  and  G  is  the  transcon¬ 
ductance.  These  two  constants  are  determined  by  the  size  and  shape  of  the 
transistor  and  by  properties  of  the  fabrication  process. 

A  capacitor  defines  a  relationship  between  the  time  derivatives  of  the 
voltages  on  the  terminals  and  the  currents  flowing  into  these  terminals.  For 
a  capacitor  of  fixed  capacitance  C  connected  to  nodes  a  and  b, 

j,  _  —  ndVj,.  _  /~idVa 

lb  —  za  —  V/  dt  O 

More  generally,  a  capacitor  U  defines  a  matrix  valued  function  Cu  such  that 

*u  =  Cu(V)%  (3) 

For  the  models  arising  from  MOS  circuits,  this  matrix  corresponds  to  a  net¬ 
work  of  voltage  dependent,  two- terminal  capacitors.  Physically,  there  must 
be  some  capacitance  between  every  pair  of  nodes;  in  practice,  many  of  these 
capacitances  are  small  and  neglected  when  constructing  a  circuit  model.  Any 
realistic  model  will  associate  at  least  one  capacitor  with  each  node;  for  such 
models,  Cu(V )  is  real-symmetric  and  positive  definite. 
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Given  models  for  each  device  in  the  circuit,  we  construct  an  ODE  model 
for  the  whole  system  using  Kirchoff’s  current  law.  As  depicted  in  figure  1, 
Kirchoff’s  current  law  states  that  the  sum  of  the  currents  flowing  into  each 
node  of  the  circuit  must  be  zero.  Likewise,  the  sum  of  the  currents  flowing  into 
each  device  must  be  zero.  Both  of  these  constraints  are  direct  consequences 
of  charge  conservation. 


Kirchoff’s  Current  Law: 

6 

Vx  €  {a  ■  •  •  /}.  ^2  ix’m  =  0 

m—  1 

f 

Vm  €  {1 ...  6}.  ^2  —  0 


Fig.  1.  Kirchoff’s  Laws 


From  Kirchoff’s  current  law,  we  have 

HuecCu(V)!§  +  ZUeIIu(V)  =  0 

where  C  denotes  the  set  of  capacitor  devices,  and  I  denotes  the  set  of  current 
source  devices.  Solving  for  dV/dt  yields 

#  =  -  (Ec/ec  CuiV))-1  (£a€/  Iu(V))  (4) 

which  is  an  ODE  model  for  the  circuit. 

The  device  models  above  are  simplistic,  allowing  a  shorter  presentation 
and  making  the  analysis  in  the  remainder  of  this  paper  tractable.  While  these 
models  capture  many  of  the  key  features  of  MOS  circuit  operation,  we  note 
that  the  transistor  model  of  equation  2  neglects  the  body  effect  and  short 
channel  effects.  Similarly,  when  modeling  capacitors  we  make  the  simplifying 
assumption  that  Cu  is  a  constant;  in  real  MOS  designs,  Cjj  depends  sub¬ 
stantially  on  V.  Kirchoff’s  current  law  is  itself  an  approximation  of  Maxwell’s 
equations,  and  so  ignores  “displacement  currents.”  Typically,  designers  use 
more  accurate  models  than  those  presented  for  transistors  and  capacitors — 
here  we  have  chosen  to  avoid  complexity  while  retaining  the  key  features  of 
realistic  circuit  models. 

2.2  Input  Signals 

The  problem  of  verifying  an  entire  chip  at  the  ODE  level  appears  to  be  hope¬ 
lessly  intractable.  Instead,  we  focus  on  the  problem  of  verifying  small  circuits 


163 


and  showing  that  the  outputs  of  one  circuit  satisfy  the  constraints  that  we 
assume  for  inputs  to  other  circuits.  Such  a  method  requires  a  mechanism  for 
specifying  the  expected  inputs  and  the  allowed  outputs  of  each  small  circuit. 


The  Annulus 


Fig.  2.  Brockett’s  Annulus 


Figure  2  depicts  the  annulus  proposed  by  Brockett  [Bro89]  that  we  use  to 
specify  the  levels  and  transitions  of  signals.  When  a  variable  is  in  region  1,  its 
value  is  constrained  but  its  derivative  may  be  either  positive  or  negative.  We 
will  consider  this  a  logically  low  signal.  When  the  variable  leaves  region  1,  it 
must  enter  region  2.  Because  the  derivative  of  the  variable  is  strictly  positive 
in  this  region,  it  makes  a  monotonic  transition  rising  to  region  3.  Regions  3 
and  4  are  analogous  to  regions  1  and  2,  and  correspond  to  logically  high  and 
monotonically  falling  signals  respectively.  Because  transitions  through  regions 
2  and  4  are  monotonic,  traversals  of  these  regions  are  distinct  events.  The 
properties  of  the  annulus  provide  a  topological  basis  for  discrete  behaviours. 

Many  common  signal  parameters  are  represented  by  the  geometry  of  an 
annulus.  The  horizontal  radii  of  the  annulus  define  the  maximum  and  mini¬ 
mum  high  and  low  levels  of  the  signal  (i.e.  Voi,  Vo *,  Vu,  and  Vf/,  in  figure  2). 
The  maximum  and  minimum  rise  time  for  the  signal  correspond  to  trajecto¬ 
ries  along  the  upper-inner  and  upper-outer  boundaries  of  the  annulus  respec¬ 
tively.  Likewise,  the  lower-inner  and  lower-outer  boundaries  of  the  annulus 
specify  the  maximum  and  minimum  fall  times. 


3  Reachability  Analysis 

In  this  section  we  present  our  theoretic  results.  After  looking  at  the  con¬ 
nection  between  verification  and  reachability,  we  examine  three  increasingly 
difficult  reachability  analyses:  linear  models  with  convex  polyhedra,  linear 
models  with  non-convex  polyhedra,  and  finally  nonlinear  models  with  non- 
convex  polyhedra. 
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3.1  Verification  as  Reachability 

Many  circuit  verification  problems  can  be  formulated  as  reachability  analysis 
problems.  For  example,  consider  a  circuit  that  implements  a  simple  state 
machine.  An  ODE  model  provides  a  mapping  between  the  continuous  circuit 
state  (node  voltages)  and  the  time  derivative  of  that  state.  Thus,  given  a  point 
in  the  continuous  space,  the  value  and  derivative  of  each  signal  is  known. 
Using  a  Brockett  annulus,  each  signal  can  be  interpreted  discretely  as  being 
low,  rising,  high,  or  falling.  The  continuous  model  implements  the  discrete 
specification  if  every  reachable  point  in  the  continuous  model  corresponds  to 
a  state  or  transition  of  the  discrete  specification. 

First  consider  the  verification  of  bounded  prefixes  of  trajectories.  For  a 
circuit  with  d  nodes,  the  continuous  state  space  is  Wd.  We  assume  that  the 
derivative  function  for  the  model  is  autonomous  (i.e.  independent  of  time)  and 
finitely  piecewise  continuous  (therefore  locally  bounded).  Given  a  bounded 
region  Q  C  Md,  Qo  C  Q,  and  tj  E  M+,  we  want  to  show  that  all  trajectories 
that  start  in  Qo  at  time  0  will  remain  in  Q  for  all  times  up  to  tj .  Our  approach 
to  this  problem  is  to  construct  a  sequence  of  time  steps  to  <  ti  <...<  tk 
such  that  to  =  0  and  tk  —  tf.  For  i  —  1  ...k,  we  construct  a  region  Qi 
such  that  any  trajectory  that  starts  in  <5i_i  at  time  f,_i  will  be  in  Qi  at 
time  ti.  We  then  construct  a  second  set  of  regions  Q'o,  ■  ■  Q'k-i  such  that  any 
trajectory  that  starts  in  Qi  at  time  ti  will  remain  in  Q\  up  to  and  including 
time  t{+i.  If  uJUg1  Q\  C  Q,  then  all  trajectories  that  start  in  Q0  at  time  0  will 
remain  in  Q  for  all  times  up  to  tf  as  can  be  readily  shown  by  the  construction 

of  Qi- 

Now  consider  infinite  trajectories.  Let  Q,  Qi,  Q',  and  t{  be  constructed 
as  above,  D  —  U^To  . . . ,  and  Q+  =  uf'o  . .  .Qi.  If  Q*  C  Q+,  then  any 
trajectory  that  starts  in  Qo  remains  in  D  forever.  To  see  this,  let  x  :  M+  — >■  Md 
be  a  trajectory  with  x(0)  E  Qo-  Let  Tmjn  =  minf=1  tk  —  tk- 1-  There  exists  a 
sequence  of  times,  rm,  such  that  for  all  m  >  0,  a;(rm)  E  Q+  and  rm  >  mrm ;n. 
The  proof  is  completed  by  induction  on  m.  For  m  =  0,  rm  =  0.  For  m  >  0, 
let  j  G  {0  . .  -k  —  1}  such  that  E  Qj ■  Let 

An  =  An  — 1  T  (tj+ 1  fj)  -h  An  — 1  T  Anin  >171*  Anin 

Then,  x(rm)  E  Qj+i  C  Q+. 

In  general,  it  is  not  feasible  to  represent  exactly  the  reachable  regions 
of  systems  modeled  by  ODEs.  Most  non-linear  ODEs,  including  those  that 
arise  when  modeling  VLSI  circuits,  do  not  have  closed  form  solutions.  Because 
proof  of  safety  properties  is  our  objective,  over  estimation  of  the  reachable 
space  is  conservative — false  negatives  are  possible,  but  not  false  positives. 
Consequently,  we  use  “containing  approximations” ,  within  which  lie  the  true 
reachable  state  spaces. 

As  described  above,  the  next  few  sections  examine  three  different  cases  of 
reachability  analysis.  First,  we  consider  the  special  case  of  linear  ODE’s  where 
the  initial  region  is  a  convex  polyhedron — we  show  that  the  Qi  sequence  can 
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be  computed  exactly,  and  the  Q\  sequence  can  be  computed  with  arbitrary 
accuracy.  In  general,  convexity  is  not  preserved  by  non-linear  models,  and  we 
develop  our  treatment  of  non-linear  models  in  two  steps.  First,  section  3.3 
presents  a  conservative  approximation  technique  for  the  particular  class  of 
non-convex  polyhedra  that  can  be  represented  by  their  projections  onto  two- 
dimensional  subspaces;  however,  linear  models  are  retained.  In  section  3.4  we 
show  how  these  projection  polyhedra  can  be  used  with  non-linear  models. 

3.2  Linear  models  and  convex  polyhedra 

This  section  presents  the  special  case  where  the  ODE  model  is  linear,  and 
Q o  is  convex.  An  ODE  model  is  linear  if  it  can  be  written  in  the  form 


x  =  Ax  (5) 

where  x  :  M+  — >  is  a  trajectory  and  A  £  Wdxd  is  a  matrix  (note  that  this 
definition  of  “linear”  is  more  general  than  the  one  used  in  much  of  the  hybrid 
systems  literature).  We  assume  that  A  has  a  full-rank  set  of  eigenvectors.  If 
not,  a  small  perturbation  of  A  will  produce  such  a  matrix,  and  the  techniques 
presented  in  section  3.4  can  be  applied.  With  this  assumption,  the  solution 
of  equation  5  is  [HS74] 


x(t)  =  etAx(<$)  (6) 

For  any  fixed  value  of  t,  etA  is  a  linear  operator  that  can  be  represented  by 
a  matrix,  and  etA  is  invertible. 

A  d-dimensional  convex  polyhedron  with  m  faces  can  be  represented  by 
linear  program  of  the  form 


Mx  <  B  (7) 

where  M  £  Mmxd  is  a  matrix  and  B  £  is  a  vector  (see  [PS82]).  We  write 
(M,  B)  to  denote  the  linear  program  of  equation  7,  and  write  x  £  (M,  B)  to 
denote  that  x  satisfies  this  linear  program. 

Polyhedra  can  be  bloated.  If  ( M ,  B )  is  a  linear  program,  and  u  is  a  real 
number,  then,  bloat ((M,  B),u)  is  the  polyhedron  obtained  by  moving  each 
face  of  M  outward  by  u.  Let  A  £  be  a  vector  such  that  that  its  jth  element 
is  given  by  Ai(j)  =  u \ \ Mj 1 1 2 ,  where  ||Mj||2  denotes  the  L2  norm  of  row  j  of 
M.  Then, 


bloat((M,B),u)  =  (M,B  -  A)  (8) 

Convexity  is  preserved  by  linear  operators.  In  particular,  let  the  linear 
program  (Mo,  Bo)  describe  the  convex  region  Q0,  let  <1  £  M+,  and  let  A 
be  the  matrix  representation  of  a  linear  ODE  model.  A  point  x  is  reachable 
from  Q 0  at  time  i\  if  and  only  if  x  £  ( Moe~tA ,  B) ,  which  follows  directly  from 
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equations  6  and  7.  Thus,  we  can  construct  Q\. .  .Qk  such  that  for  i  =  1 ...  k, 
any  trajectory  that  starts  in  Qi-\  at  time  f,_i  will  be  in  at  time  t In 
particular, 


Qi  —  (Moe~tiA,B) 


(9) 


These  Qi  are  exact. 


Xi 


0.64 


Although  the  Qi  ’s  (the  reachable  regions  at  each  time  step)  are  convex,  the 
same  does  not  necessarily  hold  for  the  Q  •  ’s  (the  regions  reachable  during  all 
times  between  steps).  For  example,  consider  the  system  depicted  in  figure  3. 
Trajectories  are  counter-clockwise  circles  centered  at  the  origin.  Although  Q0 
and  Qi  are  both  convex,  the  minimal  region  for  Q'0  is  the  region  swept  out 
by  moving  Q o  through  an  arc  of  ti  radians  (the  shaded  region  in  figure  3). 
Region  Q'0  is  not  convex. 

Rather  than  trying  to  solve  for  Q'0  exactly,  we  will  find  an  approximation. 
Note  that  x  =  Ax  is  locally  bounded;  therefore  it  is  bounded  in  Q.  Define 
the  scalar  ||i||max  =  maxx€Q  ||Az||2.  A  trajectory  that  starts  in  region  Qi  at 
time  ti  remains  within  a  distance  (f,+i  —  t,)||i||max  of  Qi  until  time  t,-+i .  Let 

Qi  =  bloat({M0e~UA,B),  ||sir||max)  (10) 

For  any  trajectory  x  such  that  x(t,-)  £  Qi  and  for  any  time  t  £  +  1], 

x(t)  £  Q\  as  required. 

Although  the  Q\  are  containing  approximations,  each  one  is  computed 
from  an  exact  Qi — the  errors  of  making  a  conservative  approximation  do 
not  accumulate  between  time  steps.  To  achieve  accurate  estimates  of  the 
reachable  space,  the  time  steps  should  be  relatively  small  so  that  there  is 
little  of  Q\  outside  of  Qi  U  Qi+i  .  For  example,  this  approach  would  compute 
a  large  overestimate  of  Q'0  for  the  time  step  depicted  in  figure  3. 

A  straightforward  approach  to  verification  is  to  construct  a  sequence  of 
Qi  and  Q\  as  described  above,  and  verify  that  each  Q\  is  contained  in  Q. 
If  all  containments  are  established,  then  the  verification  is  complete.  Other¬ 
wise,  choose  i  such  that  Q\  is  not  contained  in  Q.  A  counterexample  to  the 
verification  is  established  if  either  of  the  exact  solutions  Qi  or  Qi+i  is  not 
contained  in  Q.  If  neither  of  the  exact  solutions  provide  a  counterexample, 
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divide  the  step  from  Qi  to  Qi+i  into  two  smaller  steps  and  repeat  the  verifi¬ 
cation.  This  process  terminates  when  containment  of  all  the  Q[  ’s  is  verified, 
a  counter-example  is  found,  or  the  time  step  is  smaller  than  is  meaningful 
for  the  chosen  model.  In  the  latter  case,  the  property  cannot  be  verified  with 
the  given  model.  Typical  variation  in  MOS  circuit  parameters  can  ±20%  or 
more,  although  closely  matched  circuits  (e.g.  sense-amplifiers,  see  [Bak90]) 
can  be  designed  that  are  balanced  to  within  a  few  parts  per  thousand. 


3.3  Linear  models  and  non-convex  polyhedra 

Although  systems  with  linear  ODE  models  can  be  analysed  quite  accurately 
using  the  techniques  described  in  the  previous  section,  such  systems  do  not 
have  a  rich  enough  phase  space  structure  for  interesting  digital  computation. 
In  a  linear  system,  the  asymptotic  behaviour  of  trajectories  is  either  conver¬ 
gence  towards  the  origin,  divergence  to  infinity,  or  an  orbit  centered  at  the 
origin.  In  order  to  examine  more  interesting  systems,  we  need  techniques  to 
analyse  non-linear  models.  In  general,  these  models  do  not  preserve  the  con¬ 
vexity  of  polyhedra;  therefore,  we  begin  by  describing  the  class  of  non-convex 
polyhedra  that  we  use  in  our  analysis. 


Representation 

We  represent  high  dimensional  polyhedra  by  their  projections  onto  two  di¬ 
mensional  subspaces,  where  these  projections  are  not  required  to  be  convex. 
Conversely,  a  full  dimensional  polyhedron  can  be  obtained  from  its  projec¬ 
tions  by  back-projecting  each  into  a  prism  in  Kd  and  computing  the  inter¬ 
section  of  those  prisms  (see  figure  4).  More  formally,  let  {ui,U2,  ■  ■  ■ Ud }  be 
an  orthogonal  basis  for  Md.  If  P  is  a  polygon,  we  write  {ux(p),uy(p))  to 
denote  the  basis  of  P.  We  write  ConvexHull(P)  to  denote  the  convex  hull 
(see  [PS85])  of  P,  and  it  is  understood  that  X ( ConvexHull(P))  =  X (P) 
and  Y(ConvexHull(P))  =  Y(P).  We  write  prism(P)  to  denote  the  inverse 
projection  of  P  back  into  the  full  dimensional  space: 

prism(P)  =  {(zi,...zd)  £  Md|(xx(P) , xY{P))  £  p}  (11) 

Let  V  be  a  collection  of  polygons.  The  object  represented  by  V  is  Q{V)  where 

q(v)  =  n  prism(p)  (12) 

p=v 


We  note  that  faces  of  Q(P)  correspond  to  edges  of  the  projection  polygons. 
If  P  is  a  projection  polygon,  and  e  is  and  edge  of  P,  we  write  X(e)  and  Y (e) 
to  denote  X(P)  and  Y (P)  respectively.  Likewise,  we  define  prism(e)  to  be 

prism(e)  =  {(zi, . .  .xd)  £  Md|(zx(e),  xY{e))  £  e} 


(13) 
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Fig.  4.  A  three  dimensional  polyhedron  and  its  projections 


If  e  is  an  edge  of  a  projection  polygon,  we  write  face(e,V)  to  denote  the 
corresponding  edge  of  e: 

face(e,V )  =  <5("P)  fl  prism(e)  (14) 

We  write  face(e)  when  V  is  apparent  from  context. 

There  are  several  advantages  to  this  representation.  First,  it  corresponds 
to  an  engineer’s  intuitive  notion  of  how  a  circuit  works.  Typically,  each  signal 
is  “controlled”  by  a  small  number  of  other  signals.  Pairing  each  node  with 
each  of  its  controlling  nodes  naturally  captures  the  causal  behaviour  of  the 
circuit.  Because  most  circuits  have  limited  fan-in  and  fan-out,  the  number  of 
such  pairs,  and  hence  the  number  of  polygons,  is  proportional  to  the  number 
of  nodes  in  the  circuit. 

From  the  perspective  of  a  numerical  analyst,  the  engineer’s  intuition 
means  that  a  full  dimension  polyhedral  representation  of  the  reachable  re¬ 
gion  may  provide  unneeded  freedom  in  its  ability  to  represent  constraints 
between  every  possible  combination  of  variables.  In  the  same  way  that  many 
matrices  encountered  in  practice  contain  interaction  between  only  limited 
sets  of  variables,  in  many  ODE  systems  each  variable  only  directly  influences 
a  small  number  of  others.  Dense  storage  and  manipulation  of  sparse  ma¬ 
trices  is  wasteful;  similarly,  representing  the  reachable  state  space  as  a  full 
dimensional  polyhedron  may  be  exponentially  extravagant. 

Finally,  there  are  algorithmic  advantages  to  using  projections.  The  exis¬ 
tence  of  a  sound  method  for  computing  the  evolution  of  bounding  polyhedra 
represented  in  this  manner  is  key  to  verification.  In  addition,  all  geomet¬ 
ric  operations  take  place  in  two  dimensions  where  there  are  many  results 
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and  algorithms  available  from  computational  geometry  [PS85] .  Lastly,  it  is 
relatively  easy  to  compute  the  convex  hull  of  a  polygon,  thus  producing  a 
containing  approximation  of  that  polygon  in  the  form  of  a  linear  program. 

Of  course,  there  are  many  polyhedra  that  cannot  be  exactly  represented 
by  this  approach.  First,  indentations  on  the  surface  of  an  object  can  not 
be  represented;  likewise,  many  perforated  objects  and  knot-like  objects  can 
only  be  approximated.  We  require  that  the  projections  are  orthogonal;  there¬ 
fore,  edges  formed  by  the  intersection  of  projections  must  be  at  right-angles. 
Further  experimentation  is  needed  to  determine  the  significance  of  these  lim¬ 
itations  when  analysing  circuits  modeled  by  ODEs. 

Reachability 

Let  Q(V o)  be  a  polyhedron,  and  let  x  =  Ax  be  a  linear  model  for  a  system. 
Given  a  monotonically  increasing  sequence  of  times,  1 1  ...  4 ,  we  will  construct 
a  sequence  of  polyhedra  Q{V\) . .  ■ Q{Vk )  such  that  trajectories  that  start  in 
Q(V o)  at  time  t  =  0  are  contained  in  Q(V ,-)  at  time  t  =  t,-.  Our  approach 
is  based  on  three  observations,  which  we  justify  below.  First,  it  is  sufficient 
to  consider  trajectories  emanating  from  the  faces  of  Q(V o),  as  these  will 
define  the  faces  of  the  polyhedron  at  later  times.  Second,  for  each  edge  e  of 
a  projection  polygon,  it  is  straightforward  to  construct  a  convex  containing 
approximation  for  face(e).  Third,  the  method  described  in  section  3.2  can  be 
used  to  determine  reachability  from  this  convex  approximation. 

Because  Ax  is  locally  bounded,  trajectories  are  continuous  and  cannot 
cross.  Therefore,  trajectories  starting  on  a  face  of  the  polyhedron  provide 
bounds  for  trajectories  starting  in  the  interior. 

To  construct  a  convex  approximation  for  face(e)  let 

Z(V)  =  P|  prism(ConvexHull(P)) 

P£V 

It  is  straightforward  to  show  that  ConvexHull(Q(V ))  C  Z(V), 
ConvexHull{face(e,V))  C  ConvexHull(Q(V))  D prism (e).  Therefore, 

ConvexHull(face(e,V ))  C  Z(V)  fl  prism(e) 

Given  V,  a  linear  program  for  Z(V)  can  be  constructed  by  computing  the 
convex  hull  for  each  polygon  in  V  and  taking  the  conjunction  of  their  con¬ 
straints.  Each  polygon  is  two  dimensional,  allowing  efficient  (i.e.  0(n  log  n)) 
algorithms  to  be  used.  Once  Z(V)  is  calculated,  it  is  easily  extended  to  pro¬ 
duce  Z(V)  fl prism(e)  for  each  edge.  This  provides  our  convex  approximation 
of  face{e,V). 

The  method  described  above  allows  us  to  construct  a  d  —  1  dimensional 
convex  approximation  for  each  face  of  Z(V0).  The  reachable  space  from  each 
face  can  then  be  computed  by  the  techniques  given  in  section  3.2.  The  bound¬ 
ary  of  the  region  reachable  from  Z(V o)  is  contained  in  the  union  of  the  regions 
reachable  from  the  faces. 


(15) 


(16) 
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In  order  for  the  same  algorithms  to  be  used  for  the  next  time  step,  we 
would  like  to  compute  a  containing  approximation  of  this  boundary  as  a  se¬ 
ries  of  projections — describing  the  new  boundary  in  the  same  way  that  Z (Vo ) 
was  described.  Given  a  linear  program  for  a  face,  the  projection  of  that  face 
onto  a  plane  can  be  computed  by  finding  an  extremal  vertex  of  the  projec¬ 
tion,  and  tracing  the  rest  of  the  vertices  with  a  series  of  pivots  (see  [AF92]). 
Because  there  may  be  an  exponentially  large  number  of  vertices  in  this  pro¬ 
jection,  such  an  approach  may  be  slow.  To  avoid  tracing  too  many  vertices, 
extremal  vertices  can  be  computed  for  a  fixed  set  of  directions,  and  edges  as¬ 
sociated  with  these  vertices  joined  to  produce  a  containing  approximation  of 
the  projection.  Regardless  of  the  method  chosen  to  compute  the  projections, 
an  object  that  contains  everything  reachable  from  Q(Vo)  can  be  constructed 
by  filling  in  the  projection  polygons  (another  straightforward  operation). 

An  unattractive  feature  of  this  approach  is  that  the  reachable  polyhedron 
for  each  face  must  be  projected  onto  all  planes  used  for  the  original  projection 
polygons.  Intuitively,  this  is  because  with  a  linear  model,  we  can  calculate 
the  exact  image  of  the  convex  approximations  of  the  face  for  arbitrarily  large 
times.  During  such  an  extended  time  interval,  the  polyhedron  can  rotate,  and 
any  face  can  become  an  extremal  face  for  any  projection. 


3.4  Non-linear  models  and  non-convex  polyhedra 

We  extend  the  methods  of  the  previous  section  to  non-linear  models  in  three 
steps.  First,  we  will  approximate  the  non-linear  model  by  a  linear  model 
and  a  correction  term.  Second,  we  show  how  this  correction  term  can  be 
described  as  an  non-determinate  function  of  time,  allowing  the  non-linear 
ODE  to  be  approximated  by  a  first  order  linear  differential  equation  with  an 
non-determinate  nonhomogeneity.  Finally,  by  bounding  the  solutions  of  the 
nonhomogenous  system,  we  obtain  a  containing  approximation  of  solutions 
to  the  original  non-linear  system. 

Because  the  method  from  section  3.3  considers  each  face  separately,  we 
focus  on  the  problem  of  finding  the  points  reachable  in  time  At  from  a  point  in 
face(e)  for  some  edge  e,  for  a  model  whose  derivative  function  has  an  L2  norm 
bounded  by  ||i||max.  In  determining  the  region  reachable  from  face(e),  only 
points  in  bloat  (face  (e),  (Af)||i||max)  need  to  be  considered.  The  derivation  of 
the  linear  approximation  and  correction  term  is  handled  by  the  model- — in 
other  words,  we  leave  it  to  the  ingenuity  of  the  programmer.  When  the  model 
is  evaluated,  bloat(face(e),  (Af)[|i||max)  is  available  as  a  linear  program,  so 
linear  bounds  can  be  readily  obtained  describing  the  region  in  which  the 
approximation  and  correction  must  be  valid. 

As  an  example,  consider  the  transistor  model  presented  in  equation  2 
with  Vt  =  0.5.  For  a  particular  bloated  face,  assume  1.2  <  Vg$  <  1.6  and 
2-4  <  Vts  <  3.1.  Then,  everywhere  in  this  region  id,  =  G(Vgs  —  Vt)2 ■  Lin¬ 
earizing  about  the  mid-point  of  the  region  and  choosing  an  additive  con¬ 
stant  to  minimize  the  worst-case  absolute  value  of  the  error,  we  get  id,  = 
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G(  1.8Vgs  —  1.69)  ±  e(vgs,  Vds),  where  e(vgs,Vds )  G  [—0.02,0.02],  Similar  tech¬ 
niques  apply  when  the  feasible  region  includes  more  or  other  modes  of  the 
transistor’s  operation. 

Linear  models  can  also  be  computed  for  input  signals  that  are  described 
using  annuli  (recall  figure  2).  As  for  the  transistor  model,  the  input  signal 
model  queries  the  linear  program  for  the  bloated  face  to  determine  upper  and 
lower  bounds  for  the  value  of  the  signal.  For  any  given  value  of  the  signal,  the 
annulus  specifies  upper  and  lower  bounds  for  its  time  derivatives.  From  this 
description,  a  linear  model  with  an  error  term  can  be  computed.  For  such 
signals,  the  error  term  can  be  quite  large;  especially  when  the  signal  can  be 
in  the  first  (logical  low)  or  third  (logical  high)  regions  of  the  annulus. 

The  non-linear  correction  term  is  a  function  of  the  state  of  a  trajectory: 

x  =  Ax  +  e(x)  (17) 

The  model  provides  bounds  on  e(x);  thus,  we  write  e(x)  6  E  for  some  E  C  Md. 
For  any  particular  trajectory,  the  correction  term  can  be  understood  as  a 
function  of  time,  and  we  write 


x  =  Ax  +  £(t)  (18) 

By  computing  the  set  of  points  reachable  by  trajectories  for  all  functions  £ 
with  £(t)  S  E,  we  obtain  a  containing  approximation  for  the  original,  non¬ 
linear  system. 

Equation  18  is  a  linear,  nonhomogeneous,  first-order  differential  equation. 
Such  equations  have  a  closed  form  solution  [Apo67],  namely: 


The  etAx(0)  term  is  the  solution  to  the  linear  approximation  and  the 
etA  e~uA£(u)du  term  is  the  perturbation  arising  due  to  the  non-linear 
correction  in  the  model.  A  bound  on  the  contribution  of  this  correction  term 
is  computed  next. 

We  assume  that  A  has  a  full  rank  set  of  eigenvectors.  If  not,  A  can  be 
perturbed  slightly  so  as  to  satisfy  this  condition,  and  the  perturbation  can 
be  reflected  by  slightly  enlarging  the  correction  term.  Now,  A  can  be  di¬ 
agonalized  [HS74];  thus  e~tA  =  D-1e-fA+  D,  where  D  is  the  diagonalizing 
matrix,  and  A t  is  diagonal.  The  elements  of  e~tA*  (also  a  diagonal  matrix) 
can  be  readily  bounded  for  all  t  £  [0,  At\.  Using  standard  optimization  tech¬ 
niques  [PS82],  a  linear  program  can  be  constructed  that  is  a  containing  ap¬ 
proximation  for  the  values  of  etA  frfl  e~uA(y(u)du. 

The  previous  paragraph  provides  a  mathematically  rigorous  way  to  bound 
the  contribution  to  trajectories  of  the  non-linear  component  of  the  model. 
We  expect  that  it  would  be  impractical  to  implement  this  method  due  to  its 
reliance  on  diagonalizing  A — a  procedure  that  is  both  time-consuming  and 
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numerically  sensitive.  Instead,  we  plan  to  sample  e~uA  for  several  values  of 
u  €  [0,  At]  using  a  numerical  approximation  such  as  an  integration  algorithm. 
From  these  samples,  approximate  bounds  on  the  non-linear  contribution  can 
be  found.  Just  as  with  the  mathematically  rigorous  approach,  these  bounds 
can  be  expressed  as  a  linear  program. 

Using  one  of  the  methods  in  the  previous  two  paragraphs,  a  containing  ap¬ 
proximation  in  linear  program  form  for  etA  JJ^0  e~uA^{u)  can  be  constructed. 
Section  3.3  built  a  linear  program  containing  the  values  of  etAface(e).  For  rea¬ 
sons  that  will  be  explained  shortly,  we  will  instead  use  a  linear  program  that 
contains  the  values  of  etAface'{e ),  where 

face'(e,  (/}<)||i||raax) 

=  bloat(Z(V),  ||i||max)  O  prism(extend(e,  (zM)||i?||max)) 
extend (e,  (Af)||x||max) 

=  e  with  end  points  extended  outward  by  (4f)||i||max 

Note  that  face(e)  C  face'(e).  A  containing  approximation  for  the  sum  of 
etA  f^Q  e_uA£(n)  and  etAface'(e)  can  also  be  described  by  a  linear  program, 
and  we  can  approximate  the  boundary  of  the  reachable  space  at  time  At  as 
the  union  of  these  linear  programs  for  each  face. 

The  methods  described  in  this  section  rely  on  representation  of  the  reach¬ 
able  space  by  a  collection  of  two  dimensional  projections.  For  example,  we 
use  an  approximation  of  the  convex  hull  of  the  reachable  space  which  is 
derived  from  the  convex  hulls  of  the  projections.  Furthermore,  we  need  to 
know  the  endpoints  of  each  edge  when  creating  the  convex  approximation  of 
the  corresponding  face.  Finding  the  endpoints  is  straightforward  when  they 
are  defined  by  segment  intersections  in  a  plane.  Therefore,  each  integration 
step  must  end  by  computing  projection  polygons  for  the  new  reachable  space 
object. 

The  technique  described  in  section  3.3 — projecting  the  convex  hull  for 
each  transformed  face  onto  each  projection  plane — could  be  applied  here  as 
well.  For  the  methods  described  in  this  section,  it  is  only  necessary  to  project 
each  transformed  face  back  to  the  projection  plane  for  its  original  edge.  Let  e 
be  an  edge  of  polygon  P  and  e'  be  an  adjacent  edge  of  another  polygon.  Then 
e  and  e'  are  orthogonal.  Also  note  that  all  points  of /ace(e')  lie  on  the  inside  of 
face'(e,  (/M)||i||max).  Therefore,  all  trajectories  starting  from  /ace(e')  remain 
on  the  inside  of  face’(e)  at  the  end  of  the  time  step.  Thus,  the  projection  of 
the  boundary  of  the  polyhedron  into  the  plane  of  P  is  completely  determined 
by  the  projection  of  the  faces  arising  from  edges  in  P  at  the  beginning  of  the 
time  step. 


4  Conclusion 

Many  verification  problems  can  be  formulated  as  questions  of  reachability. 
With  a  circuit  modeled  by  a  system  of  ordinary  differential  equations,  the 
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reachability  problem  can  be  formulated  as:  “given  an  initial  region  Qo  and 
an  ending  time  tf  (possibly  +oo),  find  a  region  Q  such  that  all  trajectories 
starting  in  Qo  at  time  t  =  0  remain  in  Q  at  least  until  time  t  =  tf.” 

We  have  addressed  this  problem  for  three  classes  of  models  and  regions. 
First  considering  linear  models  with  convex  regions,  we  showed  how  the  region 
reachable  at  a  future  time  can  be  computed  exactly.  Furthermore,  a  contain¬ 
ing  approximation  for  points  reachable  through  all  times  up  until  that  future 
time  can  be  computed  with  a  simple  trade-off  between  effort  and  accuracy. 
We  note  that  the  HyTech  tool  [HH95]  represents  reachable  regions  as  a 
union  of  convex  polyhedra,  and  it  is  possible  that  the  techniques  presented 
there  could  be  applied  in  this  first  context. 

Because  models  with  non-linearities  do  not  preserve  the  convexity  of  re¬ 
gions,  it  was  next  necessary  to  identify  an  efficient  representation  for  non- 
convex  polyhedra.  For  our  purposes,  projection  polyhedra — where  an  object 
is  represented  by  its  projection  onto  two  dimensional  subspaces — provide  such 
a  representation,  allowing  us  to  apply  efficient  algorithms  from  computational 
geometry  in  two-dimensions  to  our  higher  dimensional  problems. 

Finally,  we  addressed  the  analysis  of  non-linear  systems,  by  approximat¬ 
ing  the  non-linear  model  by  a  linear  term  and  a  non-linear  correction.  The 
correction  can  be  kept  small  by  computing  separate  such  models  for  each 
face  of  the  reachable  space,  and  can  be  approximated  by  a  non-determinant 
“error”  function  of  bounded  magnitude.  This  construction  allowed  us  to  con¬ 
vert  a  non-linear  model  into  a  linear  nonhomogenous  differential  equation, 
which  can  be  solved  analytically,  and  such  solutions  allow  us  to  bound  the 
reachable  space. 

The  analysis  presented  in  this  paper  shows  that  ideas  from  computational 
geometry,  dynamical  systems,  formal  methods,  linear  algebra,  and  numeri¬ 
cal  computation  can  all  contribute  to  the  verification  of  systems  with  ODE 
models.  The  authors  are  currently  implementing  a  tool  to  demonstrate  these 
techniques. 
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1  Introduction 

This  paper  examines  the  Lyapunov  stability  of  equilibrium  points  for  switched 
control  systems  [Mor95].  A  switched  control  system  is  a  continuous- valued  sys¬ 
tem  whose  control  law  is  switched  in  a  discontinuous  manner  as  the  system 
state  evolves  over  a  continuous- valued  subset  of  SR".  Of  particular  interest  in 
this  paper  are  switched  systems  in  which  the  switching  logic  is  generated  by  a 
discrete-event  transition  system  that  can  be  represented  as  either  a  finite  au¬ 
tomaton  or  bounded  Petri  net. 

There  are  a  variety  of  prior  results  identifying  sufficient  conditions  for  such 
systems  to  be  Lyapunov  stable  at  their  equilibrium  point.  In  [Pel91]  and  [Sav96] 
a  single  positive  definite  functional  is  found  which  is  Lyapunov  for  all  control 
systems  in  the  collection.  Multiple  Lyapunov  function  approaches  in  [Bra94] 
and  [Hou96]  have  been  presented  which  should  be  applicable  to  a  larger  set  of 
systems  than  the  single  Lyapunov  function  methods.  In  certain  cases,  where  the 
switched  systems  are  linear  time  invariant  and  the  switching  regions  are  defined 
by  conic  sectors,  it  has  been  suggested  that  candidate  Lyapunov  functionals  can 
be  numerically  computed  by  finding  feasible  points  of  a  linear  matrix  inequality 
[Pet96]  [Ran97], 

While  these  prior  results  have  provided  great  insight  into  the  Lyapunov  sta¬ 
bility  of  switched  systems,  previously  published  results  do  not  discuss  the  role 
or  structure  of  the  switching  law  in  any  detail.  In  the  case  of  the  computational 
methods  proposed  in  [Pet96]  and  [Ran97],  disregard  for  the  switching  laws  struc¬ 
ture  may  lead  to  linear  matrix  inequalities  (LMI’s)  that  are  larger  than  needed 
and  hence  provide  an  overly  restrictive  sufficient  condition  for  switched  system 
stability.  These  conditions  are  overly  restrictive  in  that  the  resulting  system  can 
only  tolerate  very  small  disturbances.  This  paper  examines  the  numerical  ques¬ 
tion  and  asks  what  sort  of  information  about  the  switching  law  can  be  used  to 
significantly  reduce  the  computational  complexity  and  conservatism  associated 
with  finding  candidate  Lyapunov  functions  of  switched  systems.  The  principal 
result  of  this  paper  states  that  if  the  switching  law  can  be  represented  as  a 
discrete-event  transition  system  such  as  a  finite  automaton  or  Petri  net,  then 
it  suffices  to  examine  live  fundamental  cycles  of  the  directed  graph  associated 
with  such  structures  to  assess  switched  system  stability.  In  particular,  the  results 
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and  viewpoints  suggested  in  this  paper  provide  a  way  in  which  the  traditional 
control  theoretic  methods  cited  above  can  be  combined  with  results  from  com¬ 
puter  science  [Alu94]  [Alu96]  concerned  with  the  behaviour  of  timed  transition 
systems. 

The  remainder  of  the  paper  is  organized  as  follows.  In  section  2,  we  first 
introduce  a  formal  model  for  switched  control  systems  which  are  supervised  by 
a  discrete-event  transition  system.  Section  3  states  recent  results  [Bra94]  [Pet96] 
providing  sufficient  conditions  for  switched  system  stability  using  a  multiple 
Lyapunov  function  approach.  Section  4  motivates,  states,  and  proves  the  paper’s 
principal  result.  Section  5  presents  two  examples  illustrating  the  value  of  using 
fundamental  cycles  in  assessing  switched  system  stability.  Section  6  concludes 
with  topics  and  directions  for  further  study. 

2  Problem  Statement 

Let  X  C  5ftn  be  a  smooth  n-dimensional  manifold  and  let  7  be  a  finite  set  of  N 
integers.  Let  A  be  a  constant  dimensional  distribution, 

A  =  span{/i,...,/N}  (1) 

where  fj  :  X  -»  X  for  i  =  are  locally  Lipschitz  vectorfields  over  X. 

We  let  a  switched  dynamical  system  be  described  by  the  following  set  of 
equations. 


x(t)  =  /i(t)  (*(*))  (2) 

*(t)  =  q(x(t),i(t~))  (3) 

where  x  :  5ft  -»  X,  i  :  5ft  — >  I,  and  q  :  Xxl  — >  I .  i(t~)  refers  to  the  righthand  limit 
of  the  function  i(t)  at  point  t.  In  the  sequel,  we  refer  to  each  as  a  subsystem 
of  the  switched  system.  The  preceding  model  is  similar  to  that  used  in  [Tav87]. 

A  trajectory  of  the  switched  system  is  the  ordered  pair,  (x,i),  where  x  : 
5ft  — >  X  and  i  :  5ft  — »  I  which  solves  the  system  equation.  The  value  taken  by 
the  trajectory  at  time  t  £  5ft  is  denoted  by  (x(t),i(t)).  We  say  that  (x,i)  solves 
the  system  equation  if  and  only  if  the  equations  are  satisfied  almost  everywhere 
by  x(t)  and  i(t)  for  t  €  5ft.  This  paper  does  not  treat  questions  concerned  with 
the  existence  of  solutions.  In  general,  however,  solutions  (when  they  do  exist) 
will  not  be  unique  due  to  the  nondeterminism  in  the  switching  law. 

Let  (x,  i)  be  the  trajectory  generated  by  a  switched  dynamical  system.  The 
set  of  switching  times,  17,  of  a  trajectory  (x,i)  will  be 

f2=  It:  lim  i(r)  ^  lim  i (r)  1  (4) 

(  T->t+  t — yt  J 

The  set  of  switching  events,  £ ,  of  trajectory  (x,  i)  is  denoted  as 

£  =  |(i,  t)  G  I  x  5ft  :  t  €  17,  i  =  lim+  z(r)  j  (5) 
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We  define  the  timed  projection  Pt  :  £  ->•  by  the  equation  Pt[(i,  t)]  =  r  and 
the  event  projection,  Pe  :  £  — >  I  by  the  equation  Pe[(j,r)]  =  j. 

The  switching  sequence,  is  a  mapping  A  :  Z  ->  £  such  that 

P,[A(n)]<Pt[A(n  +  l)]  (6) 

for  all  n  £  Z.  Suppose  A  is  a  switching  sequence.  Let  7*  be  the  set  of  all  strings 
formed  from  I.  We  let  Ae  =  Pe[A]  €  I*  and  A*  =  Pt[A]  denote  the  event  and 
time  projections  of  A,  respectively.  Let  the  subsequence  of  times  when  system  j 
is  turned  on  and  off  be  denoted  as  A tj  £  I*.  In  other  words, 


Xt,j  —  Af(ni),  A*(rii  +  1),  •  •  ■  A  t(njfe),  A  t(rik  +  1),  •  ■  •  (7) 

where  n*  is  a  subsequence  of  Z  such  that  Pe[A(n*)]  =  j.  Define  the  interval 
completion  I(Xt,j)  as  the  set  obtained  by  taking  the  union  of  all  open  intervals 
in  which  system  j  is  active.  In  other  words, 

OO 

U  (A*(»jb),A*(n*  +  1))  (8) 

*=i 

Denote  E(\tj)  as  a  subsequence  of  Xtj  when  the  subsystem  j  is  turned  on.  In 
other  words, 

E(Xtj)  =  At(ni),At(n2),---,At(njfc),---  (9) 

The  preceding  model  of  a  switched  system  assumes  a  very  general  switching 
function,  q.  To  obtain  more  precise  results,  however,  we  need  to  specify  the  na¬ 
ture  of  the  switching  function.  A  common  choice  is  to  associate  a  discrete-event 
transition  system  such  as  a  finite  automaton  or  Petri  net  with  the  switching  sys¬ 
tem.  In  this  paper  we  limit  our  scope  to  finite  automata.  An  automaton  is  tied 
to  the  switched  system  by  associating  the  vertices  to  the  switched  system’s  sub¬ 
systems  and  by  associating  the  arcs  with  switching  sets  called  guards.  The  timed 
automaton  [Alu94]  and  hybrid  automaton  [Alu96]  provide  tangible  examples  of 
this  approach.  In  this  paper  we  begin  by  considering  a  discrete-event  transition 
system  that  is  represented  by  a  finite  automaton,  (V,  A). 

A  finite  automaton  associated  with  the  switched  system  is  the  directed 
graph  ( V ,  A)  where  V  =  I  is  a  set  of  vertices  and  A  C  V  x  V  is  a  set  of  directed 
arcs.  By  definition,  the  automaton  associates  a  subsystem  fi  with  each  vertex  of 
the  (V,  A).  We  define  the  guard,  1?^  of  arc  (i,j)  £  A  as 


J %j  =  {x  £  X  :  j  =  q(x,i)}  (10) 

The  ordered  pair  (i,  j)  is  an  arc  of  A  if  and  only  if  ^  0.  The  guard  therefore 
represents  a  subset  of  the  switched  system’s  state  space  in  which  a  switch  can 
occur.  The  guard  set  Qu  will  sometimes  be  denoted  as  i?,  and  represents  the  set 
in  which  subsystem  /j  remains  active. 

The  preceding  paragraph  characterized  the  switching  logic  by  a  finite  au¬ 
tomaton  (V,  A).  It  is  straightforward  to  generalize  this  approach  to  consider 
more  complex  switching  logics.  In  particular,  let’s  consider  how  this  might  be 
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done  for  a  switching  logic  generated  by  a  Petri  net.  A  Petri  net  is  represented 
by  a  directed  graph  (V,  A)  where  the  vertex  set  consists  of  two  types  of  ver¬ 
tices,  places,  P,  and  transitions,  T.  The  vertex  set,  therefore,  takes  the  form 
P  x  T  =  V.  We  associate  this  directed  graph  structure  with  the  switched  system 
by  letting  P  —  I.  We  therefore  associate  a  subsystem  with  each  place  of  the 
Petri  net.  The  guards,  fiij,  are  associated  with  the  transition  t  G  T  which  con¬ 
nect  the  ith  and  jth  places  of  the  network.  Petri  nets  provide  natural  structures 
for  modeling  concurrency  and  synchronization  in  parallel  systems.  In  general,  a 
Petri  net  can  provide  a  more  expressive  characterization  of  a  system’s  switching 
logic  than  can  be  provided  by  a  finite  automaton. 

Let  (x,  i)  be  the  trajectory  generated  by  a  switched  dynamical  system.  The 
trajectory  is  said  to  be  deadlock  free  if  the  event  projection  of  the  switching 
sequence  Pe  [A]  is  not  finite.  We  say  that  the  trajectory  is  live  if  the  event  projec¬ 
tion  of  the  switching  sequence  Pe  [A]  contains  an  infinite  number  of  each  index, 
i  G  I.  In  other  words  any  subsystem  can  be  switched  an  infinite  number  of  times 
in  a  switching  sequence.  We  say  that  the  trajectory  is  nonZeno  if  the  timed 
projection  of  the  switching  sequence  Pt[A]  satisfies 

OO 

]T^Pt[A(n)]  >  oo  (11) 

n=l 

We  say  that  the  switched  system  is  live,  deadlock  free,  or  nonZeno  if  all  of  its 
trajectories  are  live,  deadlock  free,  or  nonZeno,  respectively. 

An  important  issue  which  is  not  addressed  in  this  paper  concerns  neces¬ 
sary  and  sufficient  conditions  for  a  switched  system  to  be  live,  deadlock  free,  or 
nonZeno.  In  this  paper,  we  assume  that  the  switched  system  is  live  and  nonZeno. 

3  Prior  Results 

This  section  briefly  discusses  prior  results  on  switched  system  stablity.  Let  ( x ,  i) 
be  any  trajectory  generated  by  the  switched  dynamical  system.  Assume  that 

0)  =  0  for  all  fi  G  A.  The  equilibrium  point  x  =  0  is  said  to  be  stable  in 
the  sense  of  Lyapunov  if  and  only  if  for  all  e  >  0  there  exists  S  >  0  such  that 
||x(to)||  <  S  implies  ||x(f)||  <  e  for  all  t  >  t0. 

In  the  following  we  will  denote  the  open  ball  of  radius  r  centered  at  the  origin 
as 

B(r)  =  {x  G  8"  :  ||x)|  <  r}  (12) 

The  sphere,  S(r),  of  radius  r  centered  at  the  origin  is  the  set 

S(r)  =  {x  G  :  ||x||  =  r)  (13) 

Let  A  be  a  switching  sequence  for  a  switched  dynamical  system  where  Xt  is  its 
time  projection,  we  say  that  a  continuously  differentiable  function  V  :  9?"  -+  3?+ 
is  Lyapunov-like  function  over  sequence  Xt  if  and  only  if  V(x(t))  <  0  for  all 
t  G  I(Ai)  and  V  is  monotonically  nonincreasing  on  E(Xt).  Using  this  definition  of 
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a  Lyapunov  like  function,  the  following  sufficient  condition  for  Lyapunov  stability 
was  proven  in  [Bra94].  The  proof  uses  standard  techniques  employed  in  proving 
Lyapunov  stability  for  nonautonomous  systems.  A  significant  generalization  of 
this  result  will  be  found  in  [Hou96]. 

Theorem  1.  Suppose  we  have  candidate  Lyapunov  functions  Vj  (  j  El)  and 
suppose  that  the  switched  system  is  nonZeno  and  satisfies  fi  (0)  =  0  for  all  j  €  I. 
If  Vj  is  a  Lyapunov  like  function  for  switching  sequence  A t,j  for  all  j  6  I.  then 
the  equilibrium  point  x  =  0  of  the  switched  system  is  stable  in  the  sense  of 
Lyapunov. 

The  preceding  theorem  provides  a  sufficient  condition  for  Lyapunov  stability 
of  switched  systems.  The  condition  requires  that  a  set  of  Lyapunov  like  functions 
be  determined  for  all  possible  switching  sequences  A  that  can  be  generated  by 
the  system.  The  determination  of  Lyapunov  like  functions  may  not  be  possible  in 
general.  For  switched  systems  in  which  each  subsystem  is  a  linear  time  invariant 
system  and  the  guard  sets  are  represented  by  conic  sectors  in  Sft",  a  method  for 
determining  the  Lyapunov  like  functions  was  presented  in  [Pet96]  and  [Ran97]. 
Assume  that  each  subsystem  can  be  written  as 

x(t)  =  Aix(t)  (14) 

where  A*  e  5Rnxn  and  i  e  I.  Assume  that  the  guard  sets  can  be  bounded  by 
conic  sectors  parameterized  by  symmetric  matrices  Qij.  In  other  words,  consider 
sets, 

Qij  C  {x  €  &n| x'Qijx  <  0}  (15) 

Qu  represents  the  set  in  which  the  ith  subsystem  is  free  to  operate  and  Qij 
(where  i  A  j )  denotes  the  guard  set  for  the  transition  between  the  ith  and  jth 
vertices.  If  we  can  find  real  matrices,  Pi  =  P-  >  0  for  alii  £  I  and  real  constants 
a,  >  0  and  >  0  such  that 

A'jPi  +  PiAi  +  Ot-iQu  <  0  (16) 

Pi  -  Pj  +  otijQij  <  0  ,  (17) 

then  the  functionals,  Vj  =  x'PjX  are  Lyapunov  like  functions  of  the  switched 
system.  This  particular  condition  is  more  restrictive  than  that  formulated  in 
[Bra94].  But  it  can  be  readily  reformulated  as  a  linear  matrix  inequality  (LMI) 
which  can  be  solved  using  interior-point  methods  for  convex  optimization. 


4  Main  Result 

The  sufficient  conditions  presented  in  [Bra94]  [Hou96]  and  used  in  [Pet96]  [Ran97] 
to  compute  candidate  Lyapunov  functionals  provide  an  approach  for  testing 
switched  system  stability.  These  methods,  however,  do  not  explicitly  account 
for  the  structure  of  the  switching  logic.  For  example,  the  stability  theorems  in 
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[Bra94]  [Hou96]  require  that  Vj  be  Lyapunov  like  for  all  possible  switching  se¬ 
quences.  These  papers  place  no  assumptions  on  the  nature  of  the  switching  laws. 
The  computational  methods  demonstrated  in  [Pet96]  assume  no  structure  on  the 
switching  logic  and  therefore  consider  the  worst  case  switching  law  in  which  every 
possible  switch  has  to  be  considered.  Neglecting  the  structure  of  the  switching 
law  can  result  in  an  extremely  high  dimensional  linear  matrix  inequality  which 
may  be  more  restrictive  than  it  needs  to  be. 

In  this  section,  we  present  and  prove  a  result  which  shows  that  when  the 
switching  logic  can  be  characterized  by  a  finite  automaton,  then  we  only  need  to 
search  for  Lyapunov  like  functions  over  a  restricted  set  of  fundamental  cycles 
in  the  finite  automaton.  Essentially,  the  following  result  shows  that  rather  than 
having  to  examine  whether  a  set  of  candidate  functions  are  Lyapunov  like  for 
all  possible  switching  sequences,  we  only  need  consider  whether  the  candidate 
functions  are  Lyapunov  like  over  a  potentially  smaller  sized  set  of  fundamental 
cycles. 

Let  the  directed  graph  (V,  A)  have  n- 1-1  vertices,  *o>  *i>  •  •  ■  j  in-  The  sequence 
of  arcs 

(*o,  *1),  (*1,*2),  •  •  • ,  (j-n— It  in)  (18) 

is  called  a  path  of  length  n.  A  cycle  of  a  directed  graph  is  any  path  such  that 
io  =  in-  A  cycle  of  length  n 

(io,ii),  (*i,*2),  •  •  •  j  (in— i,*o)  (19) 

is  said  to  be  fundamental  if  ij  ^  i*  for  all  j,  k  not  equal  to  zero  or  n  and 
for  all  j  7^  k.  The  following  results  are  basic  facts  from  graph  theory.  In  any 
fundamental  cycle,  any  two  vertices  are  connected  by  one  and  only  one  path. 
An  arc  of  a  directed  graph  that  is  in  a  cycle  is  also  in  a  fundamental  cycle. 
For  any  cycle,  C,  in  a  directed  graph,  there  exists  a  set  of  fundamental  cycles 
Ci,C2,-  ■  ■ ,  Cn  such  that 

N 

Arcs(C)  =  [J  Arcs(C’j)  (20) 

i 

Finally,  the  fundamental  cycles  of  a  directed  graph  can  be  determined  in  poly¬ 
nomial  time  by  constructing  a  minimal  spanning  tree  for  the  graph.  Note  that 
the  fundamental  cycles  of  a  graph  are  non-unique. 

To  state  and  prove  the  main  result  of  this  paper,  we  first  need  to  establish 
some  facts  about  fundamental  cycles  generated  by  live  switched  systems.  The 
first  principal  lemma  is  a  result  saying  that  any  event  sequence  generated  by  a 
switched  system  can  be  constructed  by  recursively  inserting  fundamental  cycles 
into  a  legal  switching  sequence.  We  then  introduce  a  sufficient  condition  for 
a  fundamental  cycle  to  be  uniformly  bounded  with  respect  to  time.  These 
two  results  are  then  combined  to  establish  the  Lyapunov  stability  of  the  entire 
switched  system. 

Lemma  2.  In  the  automaton  associated  with  a  live  switched  system,  every  arc 
is  in  at  least  one  fundamental  cycle 
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Proof:  Let  (V,  A)  denote  the  finite  automaton  associated  with  a  switched 
system.  Assume  that  there  exists  an  arc  ( i,j )  £  A  which  is  not  in  any  cycle 
of  (V,  A).  Therefore,  once  we  go  through  arc  (i,j)  then  there  is  no  path  back 
to  vertex  i  £  V.  Therefore  in  any  switching  sequence  A  that  contains  arc  {i,j) 
the  number  of  times  when  vertex  i  is  reached  will  be  reached  is  finite  which 
contradicts  the  definition  of  a  live  transition  system.  Therefore  every  axe  of  a 
live  automaton  is  in  a  cycle.  Furthermore  from  the  fundamental  results  about 
cycles  in  directed  graphs,  we  know  that  every  arc  is  in  at  least  one  fundamental 
cycle,  so  the  the  lemma  is  proven.  • 

In  the  sequel,  we  will  say  an  arc  is  a  live  arc  if  it  is  in  a  fundamental  cycle. 

Lemma  3.  Any  switching  sequence  A  generated  by  a  live  switched  system  can  be 
decomposed  as 

Xe  —  o-1a2a3  (21) 

where  <j\  is  a  prefix  of  Xe,  a3  is  a  suffix  of\e,  and  o2  is  a  fundamental  cycle  of 
the  switched  system’s  automaton. 

Proof:  Assuming  there  exists  a  switching  sequence  A  with  event  projection  Ae 
such  that  the  decomposition  doesn’t  exist.  This  means  that  there  is  no  substring 
in  Xe  which  is  a  fundamental  cycle.  But  from  the  definition  of  a  live  switched 
system,  we  know  that  every  arc  must  be  in  a  cycle.  Let  ii  be  the  vertex  where 
such  a  cycle  starts.  If  the  cycle  is  fundamental,  then  we  have  a  contradiction  and 
the  proof  is  finished.  But  if  the  cycle  is  not  fundamental,  then  there  is  a  vertex 
i2  which  is  crossed  more  than  once  in  the  cycle.  Consider  the  cycle  starting 
from  i2.  Either  this  cycle  is  fundamental,  or  not.  If  not,  then  we  can  repeat  the 
above  argument  to  find  a  smaller  cycle  within  this  one.  However,  because  the 
automaton  is  finite,  this  recursion  has  to  terminate  in  a  fundamental  cycle.  We 
therefore  have  a  contradiction  and  the  lemma  is  proven.  • 

Proposition  4.  Given  a  switching  sequence  X  generated  by  a  live  switched  sys¬ 
tem,  let  A:  Z  — t 1*  be  a  sequence  of  sequences  in  I*  constructed  by  the  recursive 
procedure: 

1.  A[0]  is  a  fundamental  cycle  Co 

2.  A[n]  =  <J\Cno2  where  o\o2  =  A[n  —  1]  and  Cn  is  a  fundamental  cycle. 

Then  there  exists  a  set  of  Ci  such  that  A[n)  is  a  prefix  of  X  for  all  n. 

Proof:  From  lemma  3  we  know  that  any  switching  sequence  can  be  decom¬ 
posed  to  o\o2o3  where  o2  is  a  fundamental  cycle.  Note  that  if  we  pull  out  a2 
from  the  switching  sequence,  then  a\02  is  still  a  possible  switching  sequence. 
We  can  now  decompose  the  resulting  sequence  oq  <73  using  lemma  3  to  pull  out 
another  fundamental  cycle  of  the  automaton.  Since  the  switching  sequence  is 
countable,  we  can  repeat  this  process  to  pull  out  a  countable  sequence  of  funda¬ 
mental  cycles.  This  sequence  is  the  set  of  Ci  referred  to  in  the  above  proposition. 
• 
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A  given  sequence  of  events  can  be  generated  in  various  ways  by  a  switched 
system.  What  we’d  like  to  do  is  ensure  that  the  cycle  is  well-behaved  in  some  ap¬ 
propriate  sense.  In  particular,  we’ll  require  that  the  continuous-state  trajectory 
over  the  cycle  is  uniformly  bounded  with  respect  to  time.  The  following  lemma 
provides  sufficient  conditions  for  the  system  to  be  uniformly  bounded. 


Lemma  5.  Let  Xe  be  any  cycle  generated  by  the  live  switched  system  consisting 
of  events 

Xe  =jl,...,jK  (22) 

where  jx+i  =  ji  with  switching  times 

to,ti,---tK  (23) 

So  that  ti  is  the  time  when  the  ith  system  is  switched  off  and  the  i  +  1st  system 
is  switched  on. 

If  there  exist  a  set  of  continuously  differentiable  functions  Vj  :  3?”  — >  aft  for 
j  e  I  such  that  Vj(x(t))  <  0  for  all  t  6  [tj-i,tj),  then  for  any  e  >  0  there 
6(e)  >  0  such  that  for  all  ||rc(io)|[  <  <5(e),  ||x(t)||  <  e  for  all  t  £  [to,tx]- 

Proof:  Consider  an  arbitrary  e  >  0  and  let 

Pk  =  min  VjK(x)  (24) 

x&S(e) 

Define  the  closed  set, 


S1K  =  £  B(e)  :  VjK  (x)  <  /3K}  (25) 

Choose  pk  such  that  for  all  x  €  B(px),  we  have  VjK  (x)  <  fix-  We  now  define 

0k- i=  min  VjK_1(x)  (26) 

xeS(pK) 

and  introduce  the  closed  set, 

fiK-i  =  {x  €  B(pK)  :  VjK_1(x)  <  Pk-i)  (27) 

Choose  Pk—i  as  was  stated  above  and  continue  this  process  to  construct  a  mono¬ 
tone  sequence  of  sets 


n1cn2c---c  c  nK  (28) 

Note  that  flj  is  invariant  with  respect  to  subsystem  fj  because  of  the  condition 
on  Vj.  Therefore,  we  expect  that  if  we  start  in  B(po),  we  should  stay  in  set  B(e), 
which  is  sufficient  to  establish  the  lemma’s  conclusion.  • 

A  cycle  for  which  such  functionals  can  be  found  will  be  said  to  be  uniformly 
bounded.  We  now  state  and  prove  the  main  result  of  this  section.  This  result 
uses  the  preceding  proposition  to  show  by  induction  that  each  of  the  sequences 
in  the  supersequence  of  lemma  3  is  uniformly  bounded  if  each  fundamental  cycle 
is  uniformly  bounded. 
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Theorem 6.  Consider  a  live  nonZeno  switched  system  where  fj( 0)  =  0  for  all 
j  €  I.  Let  X  be  a  switching  sequence  generated  by  the  system.  Let  y  denote  a  sub¬ 
sequence  of  contiguous  switches  in  A  such  that  Pe  [p]  is  a  fundamental  cycle  of  the 
system ’s  automaton.  Let  p  denote  the  infinite  sequence  formed  by  concatenation 
of  y  with  itself. 

If  there  exist  a  set  of  continuously  differentiable  functions  Vj  :  -»  9?  which 

are  Lyapunov  like  over  sequence  pt,j  for  j  £  I >  then  the  system  is  stable  in 
the  sense  of  Lyapunov. 

Proof:  Prom  our  earlier  lemma,  we  know  that  any  switching  sequence  can 
be  constructed  by  inserting  fundamental  cycles  into  a  legal  switching  sequence. 
Let 

A  =  A[0],A[l],--.A[n],---  (29) 

By  definition  A[0]  is  a  fundamental  cycle  and  under  the  theorem’s  hypothesis 
this  is  uniformly  bounded. 

Now  assume  that  the  sequence  A[n\  is  uniformly  bounded.  By  assumption  the 
fundamental  cycle  inserted  into  A\n\  is  uniformly  bounded.  Note  also,  however, 
that  since  Vj  is  Lyapunov  like  we  require  that  if  a: (to)  €  Lfi ,  then  it  must  return 
to  that  set.  Hence  the  addition  of  the  fundamental  cycle  does  not  change  the 
boundedness  of  the  original  sequence  A[n}.  We  can  therefore  conclude  that  yl[n  + 
1]  is  uniformly  bounded. 

We  now  consider  the  limit  as  n  -»•  oo.  Since  the  <5  determined  for  uniform 
boundedness  is  indepedent  of  time,  we  can  conclude  that  it  holds  for  sequences 
of  arbitrary  length  and  hence  the  system  is  stable  in  the  sense  of  Lyapunov.* 


5  Example 

In  this  section,  we  present  some  examples  illustrating  the  application  of  the 
result  in  the  preceding  section  to  the  computation  of  Lyapunov-like  functionals 
using  the  LMI  methods. 

First,  consider  a  live  switched  system  whose  automaton  is  shown  in  figure  1. 
Associated  with  each  vertex  is  an  LTI  subsystem  of  the  form 

x  =  AiX  (30) 

where  i  =  1, 2, ...  ,6.  In  addition  to  A*  €  3?2x2,  we  associate  the  ’’self-switching” 
set  characterized  by  the  symmetric  matrix  Q*.  Figure  1  shows  the  given  automa¬ 
ton  and  the  assumed  matrices  associated  with  each  vertex.  Each  arc  (i,j)  in  the 
automaton  has  a  matrix  Qij  associated  with  it.  The  arcs  are  shown  in  figure  1 
also. 

From  the  automaton  we  can  identify  a  set  of  four  fundamental  cycles.  These 
fundamental  cycles  are  obtained  by  determining  a  minimal  spanning  tree  for  the 
automaton’s  directed  graph.  This  spanning  tree  is  shown  in  figure  2  and  the 
resulting  fundamental  cycles  are  2-5  —  4,  2  —  5-4  —  1,  2  —  5-6,  2  —  5-6-3. 
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Fig.  2.  Spanning  Tree  Identifying  Switched  System’s  Fundamental  Cycles 


From  the  theorem  proven  above,  we  know  that  it  suffices  to  find  a  set  of 
continuously  differentiable  functions,  Vj,  which  are  Lyapunov-like  for  each  fun¬ 
damental  cycle  in  the  automaton.  Determining  such  Lyapunov-like  functions  can 
now  be  done  using  the  method  suggested  in  [Pet96]  and  [Ran97].  We  establish 
four  sets  of  matrix  inequalities  corresponding  to  the  four  fundamental  cycles. 
For  cycle  2  —  5  —  4,  we  have  the  set  of  inequalities, 

A[Pi  +  Pi Ai  +  ctiQi  <  0  i  =  2, 5, 4 

F*2  —  P4  +  Q42Q42  ^  0 
P5  —  P2  +  &25Q25  <  0 
Pi  —  P5  +  Q54Q54  <  0 
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A  similar  set  of  inequalities  can  be  formed  for  the  other  three  cycles.  To  find 
the  Lyapunov  like  functions,  Vi  —  x'PiX,  we  want  to  make  sure  that  all  funda¬ 
mental  cycles  are  stable,  so  we  build  a  large  LMI  which  includes  all  the  matrix 
inequalities  associated  with  the  four  fundamental  cycles.  For  this  example,  there 
are  a  total  of  15  matrix  equations. 

The  feasibility  of  the  15  equation  LMI  can  be  readily  checked  using  the 
LMI  toolbox  [LMI93].  As  indicated  before,  the  LMI’s  feasibility  guarantees  the 
Lyapunov  stability  of  the  switched  system.  In  this  example,  however,  the  LMI  is 
infeasible  which  means  we  cannot  say  whether  the  switched  system  is  stable  or 
not.  Let’s  consider  two  ad  hoc  strategies  for  forcing  such  systems  to  be  stable. 
The  first  strategy  removes  unstable  fundamental  cycles  from  the  system.  The 
second  strategy  determines  a  state  feedback  controller  that  stabilizes  the  system. 

Consider  the  example  system  and  check  the  feasibility  of  the  LMI  associated 
with  each  fundamental  cycle.  We  discover  that  the  LMI  associated  with  cycle 
2  —  5  -  6  is  infeasible.  Computer  simulations  show  that  cycle  2  —  5  —  6  is  unstable. 
The  first  approach  mentioned  above  will  use  a  supervisory  control  to  disable  the 
transition  from  node  6  to  node  2.  The  disabling  of  the  transition  essentially 
removes  the  unstable  fundamental  cycle  from  the  system.  With  the  unstable 
cycle  disabled,  we  form  a  LMI  for  the  three  remaining  fundamental  cycles.  In 
this  example,  the  reduced  LMI  for  the  supervised  system  is  feasible  thereby 
indicating  that  the  supervised  switched  system  is  Lyapunov  stable.  Simulation 
results  for  this  example  have  verified  this  conclusion. 

Alternatively,  the  second  strategy  determines  a  state  feedback  controller  that 
stabilizes  the  unstable  fundamental  cycle.  The  LMI  associated  with  the  unstable 
cycle  for  the  controlled  system  has  the  form, 


(Ai  +  Ki)' Pi  +  Pi(Ai  +  Ki)  -t-  otiQi  <  0  *  =  2, 5, 6 
Pi  ~  P&  +  0^62^62  <  0 
P5  —  Pi  +  &25Q25  <  0 
Pe  —  P5  A  £*56<356  <  0 

where  Ki  E  =  2,5,6  are  stabilizing  controllers  to  be  determined.  This  is 
a  nonlinear  matrix  inequality  that  can  be  tranformed  into  a  LMI  by  reparam¬ 
eterizing  the  feedback  controller,  Kt.  Let  Ki  =  P~1Vi,  then  these  inequalities 
become 

A'iPi  +  PiAi  +  V(  +  Vi  +  aiQi  <  0  i  =  2, 5, 6 

The  resulting  matrix  inequality  is  clearly  linear.  We  combine  the  above  LMIs  for 
the  unstable  cycle  with  the  LMIs  for  the  other  three  fundamental  cycles  and  use 
the  LMI  toolbox  to  check  for  a  feasible  solution.  In  this  example,  the  resulting 
LMI  is  feasible  and  the  solution  obtained  by  the  LMI  toolbox  determines  the 
matrices  P»  and  the  controller  gain  AT,  which  stabilize  the  system. 

We  now  consider  another  example  in  which  some  transitions  in  the  automaton 
are  not  live.  Consider  the  switched  system  whose  automaton  is  shown  in  figure 
3. 
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Fig.  3.  The  automaton  of  the  switched  system  of  example  2 


From  the  automaton,  we  identify  two  fundamentals  cycles,  namely,  cycle  1  —  2  —  3 
and  cycle  1-4-3.  We  thus  know  that  the  system  is  not  a  live  system,  since  arc 
(5, 6),  (6, 2)  and  (5, 3)  are  not  in  either  of  the  fundamental  cycles.  One  implication 
of  our  new  result  is  that  we  can  identify  the  ’’live  part”  of  the  system  by  identifing 
all  the  fundamental  cycles  in  its  automaton  and  all  the  live  arcs  associated  with 
them.  From  lemma  2,  we  know  that  a  live  arc  is  guaranteed  to  appear  infinite 
times  in  a  switching  sequence,  whereas  an  arc  which  is  not  a  live  arc  can  appear 
only  once  in  a  switching  sequence  and  therefore  its  appearance  can  not  affect 
the  stability  of  the  switched  system.  We  thus  only  need  to  consider  all  the  live 
arcs  in  deciding  stability  of  the  whole  switched  system.  In  this  example,  we  only 
need  to  establish  LMI  for  the  two  fundamental  cycles  and  check  the  existance  of 
a  set  of  Lyapunov-like  functions  V}  for  j  =  1, 2, 3, 4. 

Using  the  same  method  as  in  the  previous  example,  we  find  a  total  number 
of  9  LMIs  for  the  two  fundamental  cycles.  In  comparation,  if  we  had  proceeded 
using  the  technique  originally  proposed  in  [Pet96],  then  we  would  need  to  build 
an  LMI  which  accounted  for  all  individual  transitions  that  could  possibly  happen. 
If  the  automaton  had  N  vertices  and  A  arcs,  then  we  would  have  at  least  N  +  A 
equations  in  our  linear  matrix  inequality.  For  our  particular  example,  we  would 
have  a  14  equation  LMI  to  solve. 

The  implication  of  increasing  LMI  size  is  that  it  represents  an  overly  restric¬ 
tive  sufficient  condition  for  system  stability.  In  our  case,  we  can  see  this  quite 
easily  by  solving  the  9  equation  LMI  obtained  by  examining  the  fundamental 
cycles  of  the  system  versus  the  14  equation  LMI  obtained  by  using  the  methods 
in  [Pet96] .  The  P  matrices  obtained  in  both  cases  for  our  example  are  shown  in 
figure  4 

In  computing  the  first  table,  the  LMI  toolbox  required  13326  flops  to  deter- 
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[original  method  simplified  method 


0.0418  -0.0084 
-0.0084  0.0677 
'  0.0309  -0.0020' 
-0.0020  0.0064 
‘0.0363  0.0106] 
0.0106  0.0200 
'  0.0335  -0.0015 ' 
-0.0015  0.0050 
'  0.0980  -0.0028' 
-0.0028  0.1315 
'  0.0447  -0.0068' 
-0.0068  0.1218 


68.6535  -12.4057 
-12.4057  113.0276 
57.2575  -2.5743' 
-2.5743  11.0493 
62.5312  22.6958] 
22.6958  35.5830 
57.5544  -1.9279' 
-1.9279  8.2600 


Pi 

Pi 

P% 

Pi 

P5 

Pe 


(31) 


Fig.  4.  P  matrices  for  example  2 


mine  the  P  matrices  for  the  original  method.  The  simplified  method  developed 
in  this  paper  only  required  a  total  of  8665  flops.  So  our  method  clearly  has  a 
lower  computational  complexity  than  the  original  method  of  [Pet96] .  More  im¬ 
portant  than  this,  however,  is  the  difference  between  the  matrices.  As  can  be 
clearly  seen  above,  the  singular  values  for  the  P  matrices  obtained  from  the  sim¬ 
plified  approach  are  around  50.  For  the  original  approach  in  [Pet96],  however, 
these  values  are  about  .1.  Since  the  singular  value  is  a  measure  of  how  close 
the  matrix  is  to  being  singular,  this  means  that  the  original  method  was  almost 
unable  to  determine  the  candidate  Lyapunov  functions.  With  minor  changes  in 
the  Q  matrices  it  is  quite  possible  to  generate  examples  in  which  the  original 
method  is  unable  to  find  the  required  P  matrices,  but  our  method  would  find 
such  matrices.  In  addition,  the  size  of  the  singular  values  for  P  provide  an  upper 
bound  on  the  size  of  disturbance  which  the  system  can  tolerate.  The  larger  the 
singular  value  is,  the  larger  this  upper  bound  is.  Clearly,  the  simplified  method 
provides  a  largher  upper  bound  on  the  disturbance  that  can  be  tolerated.  So, 
the  simplified  method  provides  a  less  conservative  assessment  of  the  system’s 
stability  than  the  original  method. 

Remark:  The  use  of  fundamental  cycles  in  assessing  system  stability  is,  in 
fact,  more  closely  related  to  the  results  of  [Hou96]  rather  than  [Bra94].  The  sig¬ 
nificance  of  the  [Hou96]  results,  in  our  opinion,  lies  in  the  fact  that  one  only 
need  establish  Lyapunov  like  behaviour  over  discrete  switching  times.  In  this 
regard,  we  should  be  able  to  use  our  results  to  determine  potentially  less  restric¬ 
tive  stability  conditions  in  which  all  Lyapunov-like  functions  need  not  always  be 
monotone  decreasing. 

Remark:  The  LMI  we  constructed  using  the  [Pet96]  method  actually  takes 
into  account  all  the  possible  switchings,  i.e.  all  the  arcs  in  the  automaton  to 
determine  the  system’s  stability,  whereas  our  simplified  method  only  consider 
all  the  live  arcs,  since  we  know  that  only  the  live  arcs  can  affect  the  switched 
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system’s  stability.  Therefore,  it  is  obvious  that  our  simplified  method  is  less 
restrictive  than  the  [Pet96]  method. 

Remark:  The  value  of  fundamental  cycles  go  well  beyond  the  immediate 
objective  of  saying  a  ”yes”  or  ”no”  assessment  of  system  stability.  Fundamental 
cycles  represent  a  basic  characterization  of  the  automaton’s  graph  which  can 
be  very  useful  in  analysis  and  synthesis.  In  particular,  we  believe  it  should  be 
possible  to  use  fundamental  cycles  to  help  decouple  the  LMI  construction  prob¬ 
lem  into  a  set  of  smaller  problems.  We  also  believe  that  the  identification  of 
’’unstable”  or  ’’uncontrollable”  fundamental  cycles  should  provide  a  basis  for  in¬ 
troduction  of  supervisory  control  schemes  in  the  switching  law.  The  implication 
here  is  that  the  use  of  fundamental  cycles  in  the  qualitative  analysis  of  switched 
systems  potentially  represents  an  important  tool  for  the  analysis  and  synthesis  of 
switched  systems.  The  stability  analysis  presented  in  this  paper  is  only  a  simple 
example  illustrating  its  potential  use. 


6  Future  Work 


This  paper  has  presented  a  sufficient  method  for  switched  system  stability  which 
takes  advantage  of  prior  knowledge  of  the  system’s  switching  logic.  In  particular, 
it  was  shown  that  if  the  switching  logic  can  be  shown  to  be  generated  by  a  finite 
discrete-event  transitions  system  such  as  a  finite  automaton  or  Petri  net,  then  it 
suffices  to  determine  Lyapunov-like  functions  only  over  the  fundamental  cycles 
of  the  state  machine. 

The  preliminary  results  presented  in  this  paper  are  encouraging  and  suggest 
several  possible  directions  for  future  study.  One  future  direction  involves  extend¬ 
ing  the  concepts  introduced  here  to  study  switching  logics  generated  by  Petri 
nets  [Lem98].  The  use  of  unfolding  methods  should  allow  the  efficient  identifica¬ 
tion  of  fundamental  cycles  in  the  Petri  net’s  reachability  tree,  thereby  providing 
a  sufficient  test  for  the  stability  of  such  systems.  Another  promising  avenue  of 
future  study  involves  developing  sufficient  tests  for  uniform  ultimate  bounded¬ 
ness  (bounded-amplitude)  in  switched  systems.  For  important  classes  of  systems, 
we  can  also  formulate  these  sufficient  conditions  as  matrix  inequalities  [Bet97] 
thereby  allowing  the  efficient  testing  of  switched  system  performance  with  re¬ 
spect  to  a  specified  ultimate  bound.  Examples  of  this  approach  will  be  also  be 
found  in  [Lem98]. 
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Abstract.  We  study  the  reachability  problem  for  hybrid  automata. 
Automatic  approaches,  which  attempt  to  construct  the  reachable  region 
by  symbolic  execution,  often  do  not  terminate.  In  these  cases,  we  re¬ 
quire  the  user  to  guess  the  reachable  region,  and  we  use  a  theorem  prover 
(Pvs)  to  verify  the  guess.  We  classify  hybrid  automata  according  to  the 
theory  in  which  their  reachable  region  can  be  defined  finitely.  This  is  the 
theory  in  which  the  prover  needs  to  operate  in  order  to  verify  the  guess. 
The  approach  is  interesting,  because  an  appropriate  guess  can  often  be 
deduced  by  extrapolating  from  the  first  few  steps  of  symbolic  execution. 

Keywords:  hybrid  automata,  reachability  verification,  theorem  proving. 


1  Introduction 

Hybrid  automata  are  a  specification  and  verification  model  for  hybrid  systems 
[ACH+95],  systems  that  involve  mixed  continuous  and  discrete  evolutions  of 
variables.  The  problem  that  underlies  the  safety  verification  for  hybrid  automata 
is  reachability:  can  an  unsafe  state  be  reached  from  an  initial  state  by  executing 
the  system?  The  traditional  approach  to  reachability  attempts  to  compute  the 
set  of  reachable  states  by  successive  approximation,  starting  from  the  set  of  initial 
states  and  repeatedly  adding  new  reachable  states.  This  computation  can  be 
automated  and  is  guaranteed  to  converge  in  some  special  cases  [KPSY93,  AD94, 
ACH+95,  HKPV95,  RR96],  for  which  the  reachability  problem  is  decidable.  In 
general,  however,  this  approach,  which  we  call  reachability  construction,  may 
not  be  automatable  or  may  not  converge. 

It  is  for  this  reason  that  in  this  paper,  we  pursue  a  different  approach,  called 
reachability  verification.  In  reachability  verification,  the  user  guesses  the  set  of 
reachable  states,  and  then  a  theorem  prover  is  applied  to  verify  the  guess.  A 
guess  has  the  form  of  a  logical  formula,  which  is  true  exactly  for  the  states  that 
are  guessed  to  be  reachable.  We  classify  hybrid  automata  as  to  what  logical 
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by  the  ARPA  grant  NAG2-892,  and  by  the  SRC  contract  95-DC-324.036. 

Supported  by  Lavoisier  grant  of  the  French  Foreign  Affairs  Ministry  and  by  SRI. 


191 


theory  suffices  to  define  the  set  of  reachable  states.  The  formula  to  be  guessed 
must  lie  in  this  theory,  and  the  verification  part  amounts  to  a  proof  in  this 
theory.  Hence,  the  simpler  the  theory,  the  more  constrained  the  guess  and  the 
easier  the  verification.  In  some  cases — for  example,  the  case  of  additive-inductive 
hybrid  automata,  where  the  set  of  reachable  states  is  definable  in  a  decidable 
subtheory  of  (R,  N,  +,  <) —  the  verification  part  is  often  completely  automatic. 
The  reachability  verification  approach  is  interesting  because  when  successive 
approximation  does  not  converge,  a  suitable  guess  can  often  be  found  by  studying 
and  extrapolating  the  first  few  iterations  of  successive  approximation.  In  this 
way,  some  automatic  heuristics  can  be  developed  to  aid  the  guessing  part. 

The  rest  of  the  paper  is  organized  as  follows.  In  Section  2,  we  present  the 
hybrid  automaton  model,  the  reachability  construction  method,  and  the  reach¬ 
ability  verification  method.  We  restrict  our  attention  to  linear  hybrid  automata, 
for  which  reachability  construction  can  be  automated  and  has  been  implemented 
in  verification  tools  such  as  HyTech  [AHH96].  In  Section  3,  we  classify  linear 
hybrid  automata  according  to  the  theory  in  which  the  set  of  reachable  states 
is  definable.  For  example,  all  linear  hybrid  automata  for  which  reachability 
construction  converges  are  polyhedral,  as  their  reachable  region  can  be  defined 
in  (R,  +,  <).  We  give  examples  of  linear  hybrid  automata  whose  reachable 
regions  are  quite  simple  yet  non-polyhedral  (e.g.,  additive-inductive),  as  well  as 
examples  of  linear  hybrid  automata  whose  reachable  regions  are  quite  complex 
(e.g.,  most  naturally  expressed  using  trigonometric  functions).  We  also  present  a 
restricted  subclass  of  additive-inductive  automata  for  which  the  reachable  region 
can  be  computed  algorithmically,  even  though  reachability  construction  does  not 
necessarily  terminate.  Finally,  in  Section  4  we  describe  an  embedding  of  hybrid 
automata  into  the  theorem  prover  Pvs  [ORR+96],  and  apply  the  reachability 
verification  method  to  some  well-known  examples  for  which  reachability  con¬ 
struction  fails. 

2  Linear  Hybrid  Automata  and  Reachability  Analysis 

Hybrid  automata  [ACH+95]  are  finite  automata  enriched  with  a  finite  set  of  real¬ 
valued  variables.  In  each  location,  the  variables  evolve  continuously  according  to 
differential  activities,  as  long  as  the  location’s  invariant  remains  true;  then,  when 
a  transition  guard  becomes  true,  the  control  may  proceed  to  another  location, 
and  reset  some  of  the  variables  to  new  values.  We  restrict  our  attention  to  a 
simple  class  of  hybrid  automata,  allowing  only  straight-line  activities  and  resets 
of  variables  to  zero.  More  general  feature  can  be  approximated  in  the  simpler 
framework,  with  additional  locations,  transitions,  and  variables  [HHWT98]. 

Below  (Figure  1)  is  an  example  of  a  linear  hybrid  automaton.  It  has  the 
three  locations  si,  s-2,  S3  and  the  three  variables  x,  y,  z.  The  automaton  starts 
at  location  Si  with  variable  x  set  to  0  and  variables  y,  z  set  to  1,  and  control  can 
remain  at  location  si  while  the  invariant  x  <  y  is  true.  Here,  x  increases  with 
slope  1  (x  —  1)  and  y  remains  constant  at  1  (y  =  0).  Thus,  control  can  stay 
at  si  for  at  most  1  time  unit,  until  x  reaches  1.  When  this  condition  becomes 
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true,  control  leaves  sj  by  taking  a  transition.  Here,  the  only  available  transition 
is  the  one  that  leads  to  S2,  which  is  enabled  when  x  =  y.  Then,  control  goes 
to  location  S2,  where  x  decreases  (x  =  -1),  and  stays  there  until  x  reaches  0. 
When  this  happens,  the  transition  from  s 2  to  S3  is  enabled  and  control  goes  to 
S3,  by  assigning  variable  2  to  0  in  the  process.  The  process  continues  likewise  at 
location  S3. 


z=l 


S-2  S3 


Figure  1 .  Example  of  a  linear  hybrid  automaton 


Syntax  of  linear  hybrid  automata.  A  convex  linear  predicate  is  a  system  of 
linear  inequalities  over  given  variables.  A  linear  predicate  is  a  finite  disjunction 
of  convex  linear  predicates.  A  linear  hybrid  automaton  consists  of  the  following 
elements: 

—  a  finite  set  X  =  {x\,X2, . . .  ,a:n}  of  variables ; 

—  a  finite  set  L  of  locations ; 

—  a  finite  multiset  of  transitions  T  C  L  x  L; 

—  for  each  location  l  £  L: 

•  an  invariant  Inv(l),  which  is  a  convex  linear  predicate  on  the  variables; 

•  an  activity  Act(l),  which  is  a  tuple  of  differentials  laws  (on  law  per  vari¬ 
able)  of  the  form  x  =  A(l,x).  Here,  A (l,  x)  is  a  rational  constant,  also 
called  the  slope  of  variable  x  at  location  l; 

•  an  initial  condition  Init(l),  which  is  a  convex  linear  predicate  on  the 
variables; 

—  for  each  transition  t  £T: 

•  a  guard  Guard (t),  which  is  a  convex  linear  predicate  on  the  variables; 

•  a  reset  Reset(t),  which  is  a  set  of  variables  Reset(t )  C  X. 


Semantics.  The  semantics  of  hybrid  automata  builds  upon  the  following  pre¬ 
liminary  notions.  A  valuation  is  a  function  v  :  X  — t  1R  that  associates  a  real 
number  v(x)  to  each  variable  x  £  X.  Given  a  variable  valuation  v  and  a  lin¬ 
ear  predicate  P  over  the  variables,  we  say  v  satisfies  P,  written  P(v)  =  true, 
if  by  replacing  in  P  each  variable  x  with  its  value  v(x),  one  obtains  a  true 
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statement.  In  particular,  if  valuation  v  satisfies  the  invariant  of  location  l  (re¬ 
spectively,  the  guard  of  transition  t )  we  write  Inv(l)(v)  =  true  (respectively, 
Guard  (t)(v)  =  true).  Given  a  valuation  v  and  a  subset  Y  C  X  of  variables,  we 
write  v\Y  :=  0]  for  the  valuation  that  assigns  0  to  all  variables  in  Y,  and  agrees 
with  v  on  all  variables  in  X  \  Y.  Given  a  valuation  v,  a  location  l  £  L,  and  a 
non-negative  real  r  £  R+,  we  write  v  +i  r  for  the  valuation  that  assigns  to  each 
variable  x  in  X  the  value  v(x)  +  A(l,  x)  •  r,  where  A (l,  x)  is  the  slope  of  variable 
x  at  location  l. 

The  semantic  features  of  a  hybrid  automaton  are  the  following: 

-  a  state  is  a  pair  (l,v),  where  l  is  a  location  and  v  a  valuation  such  that 
Inv(l)(v )  =  true ; 

—  for  a  non-negative  real  r  £  TR+ ,  there  is  a  continuous  step  of  duration  r 
between  two  states  (l,v)  and  (l,  v')  denoted  (l,v)  A  (l,v'),  if  v'  =  v  +t  r; 

-  for  a  transition  a  =  (l,  l1)  €  T,  there  is  a  discrete  step  of  label  a  between  two 
states  (l,v)  and  (l',v')  denoted  (l,v)  A  (l',v'),  if  Guard(t)(v)  =  true  and 
v'  =  v[Reset(t)  :=  0]; 

—  a  run  is  a  finite  sequence  of  continuous  and  discrete  steps  ( l0 ,  »o)  ->  (!i ,  iq )  — » 
•  •  •  — >  (lm,vm)  such  that  the  first  state  (lo,vo)  is  initial;  i.e.,  vq  satisfies  the 
initial  condition  Init(lo). 

A  state  is  reachable  if  it  coincides  with  the  last  state  of  a  run.  A  linear  region  is 
a  pair  (l,  P),  where  l  is  a  location  and  P  is  a  linear  predicate  on  the  automaton 
variables.  A  state  (s,v)  satisfies  the  linear  region  (l,  P)  if  s  =  l  and  v  satisfies  P. 
In  this  case  we  also  say  that  the  region  (l,  P)  contains  the  state  (s,  v).  The 
reachability  problem  for  linear  hybrid  automata  is:  given  a  linear  hybrid  auto¬ 
maton  A  and  a  set  71  of  linear  regions,  is  there  a  reachable  state  of  A  that  is 
contained  in  some  region  in  71.  We  discuss  below  two  kinds  of  approaches  io 
this  problem. 


Reachability  construction  [ACH+95].  This  method  performs  a  symbolic 
execution  of  the  hybrid  automaton.  It  consists  in  successively  approximating 
the  reachable  region,  starting  from  the  initial  region,  and  iterating  successor 
operations  until  the  computation  converges.  There  are  two  kinds  of  successors. 

The  continuous  successor  of  a  region  {l,  P)  is  the  region  (l,  Pi)  that  con¬ 
tains  all  the  states  that  can  be  reached  from  states  satisfying  (l,P),  by  a  single 
continuous  step.  The  predicate  Pi  is  obtained  by  extension  of  P  at  location  l. 
Suppose  P  is  a  linear  predicate  over  the  variables  xi , . . .  ,xn,  and  that  variable 
Xi  evolves  in  location  l  by  the  law  i,-  =  hi  (for  all  i  £  (1, ...  ,n});  then,  the 
extension  of  P  at  location  l  is  described  by  the  following  predicate: 

Pi  =  3r  >  O.P(xi  -  k\  ■  r, . . .  ,  xn  -  kn  ■  r)  (1) 

It  can  be  shown  that  the  elimination  of  the  existential  quantifier  in  formula 
(1)  can  be  performed,  and  it  again  produces  a  linear  predicate  in  variables 
»i,...  ,xn:  the  continuous  successor  of  a  linear  region  is  still  a  linear  region. 
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The  discrete  successor  of  a  linear  region  ( l,P )  by  a  transition  (l,  V)  £  T  is  the 
region  (/',  P(itv))  that  contains  all  the  states  that  can  be  reached  from  states 
satisfying  (l,  P),  by  a  single  discrete  step.  The  predicate  P(i,i>)  is  obtained  from 
P  by  projection  over  transition  (l,  l').  Suppose  that  P  is  a  linear  predicate  over 
variables  Xi,...  ,xn,  and  transition  (1,1')  resets  the  variables  x*, ,  x,2 , . . .  ,  x,p; 
then,  the  projection  of  P  over  transition  (l,  l')  can  be  described  by  the  following 
predicate: 

P(hV)  =  fan  =  0  A  xh  =  0  A  •  •  •  A  xip  =  0)  A  3xh  3xh  . . .  3xip  .P{xx , . . .  ,  xn) 

(2) 

It  can  be  shown  that  the  elimination  the  existential  quantifiers  in  formula  (2)  can 
be  performed,  and  it  again  produces  a  linear  predicate  in  variables  xx , . . .  ,xn. 
Thus,  the  discrete  successor  of  a  linear  region  is  still  a  linear  region. 

Reachability  construction  consists  in  iterating  the  following  Post  procedure: 

Input:  set  A  of  linear  regions. 

Output:  set  B  of  linear  regions,  initially  empty. 

For  each  linear  region  (/,  P)  in  the  set  A,  for  each  transition  (l,  l ')  with  origin  l : 

—  let  P\  be  the  intersection  of  P  with  the  guard  of  transition  (l,  l') 

-  let  P2  he  the  projection  of  P\  over  transition  {1,1') 

—  let  P3  be  the  intersection  of  P%  with  the  invariant  of  l1 

-  let  Pi  be  the  extension  of  P3  at  state  V 

—  let  P5  be  the  intersection  of  P4  with  the  invariant  of  V 

-  add  {l1 ,  P5)  to  set  B. 

We  denote  by  Postk(I)  the  set  of  regions  obtained  by  applying  k  times  the 
Post  operation  to  the  set  of  initial  regions  I  =  {{l,  Init (/),  A  Inv(l))\l  £  L},  and 
by  Post* {I)  the  countably  infinite  union  \J k£N  Postk{I).  This  is  also  called 
the  reachable  region,  and  it  represents  all  the  reachable  states  of  the  hybrid 
automaton.  Once  Post*  {I)  is  computed,  the  reachability  problem  for  a  set  of 
linear  regions  7 Z  can  be  solved  by  checking  if  the  intersection  Post*  (/)  fi  1Z  is 
non-empty. 

We  call  reachability  construction  the  process  of  computing  the  sequence  I, 
Post(I),  Post2(I)  ...  of  sets  of  regions.  If,  for  some  k  £  IV,  it  is  the  case  that 
Postk+1(I)  C  Postk{I),  then  reachability  construction  terminates  in  finitely 
many  steps,  and  Post*  (I)  =  Postk{I ).  This  does  not  happen  in  general  for 
linear  hybrid  automata  [HKPV95].  Some  subclasses  for  which  reachability  con¬ 
struction  terminates  have  been  identified,  such  as  timed  automata,  initialized 
rectangular  hybrid  automata1 , and  others  [KPSY93,  AD94,  ACH+95,  HKPV95, 
RR96].  For  these  classes,  the  reachability  problem  is  decidable.  Reachabil¬ 
ity  construction  is  the  procedure  implemented  in  symbolic  model-checking  tools 
like  HyTech  [AHH96], 

1  For  these  classes,  termination  is  achieved  by  slightly  modifying  the  automaton. 
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Reachability  verification.  We  define  a  new  approach  to  the  reachability  prob¬ 
lem,  called  the  reachability  verification  method.  This  method  can  succeed  in 
cases  when  reachability  construction  fails.  Reachability  verification  consists  of 
two  steps:  first,  to  guess  the  reachable  region;  second,  to  verify  that  the  guess 
is  correct.  In  many  cases  (some  of  which  are  presented  in  Sections  3  and  4),  a 
suitable  guess  can  be  found  using  the  simple  heuristic  described  below,  and  the 
verification  can  be  performed  by  induction,  using  a  theorem  prover. 

It  appears  that  when  reachability  construction  does  not  terminate,  the  reach¬ 
able  region  of  a  hybrid  automaton  can  still  behave  in  a  regular  manner.  As  an 
example,  consider  the  hybrid  automaton  in  Figure  1.  By  studying  the  reach¬ 
ability  construction  over  a  few  iterations  (performed  in  this  situation  by  the  tool 
HyTech),  it  can  be  seen  that  the  reachable  region  is  described  by  the  following 
set  of  regions: 

{(«i  ,  3 i  £  lN-(i  >  lAx<iAy=iAz=  1)), 

(s2 , 3  i  £  N.(i  >  \ Ax  <i Ay  =  i A  z  =  1)),  (3) 

(S3 , 3  i  £  N.(i  >  lAx  =  OAy  =  z  +  iAi<y<i  +  1))} 

The  above  expression  involves  a  quantifier  over  a  new  natural-number  variable  i. 
Thus,  a  simple  heuristic  to  guess  the  reachable  region  is  to  observe  a  few  itera¬ 
tions  of  reachability  construction,  and  to  search  for  a  reachable  region  of  the  form 
3ii  £  N .  ,.3iq  £  ..  ,  i(J);  that  is,  the  reachable  region  involves  some 

new  natural-number  variables  ij, . . .  ,  iq  in  addition  to  the  automaton  variables. 

A  typical  situation  is  to  guess  a  reachable  region  written  using  only  one 
natural-number  variable  j,  which  represents  the  number  of  iterations  of  the  Post 
procedure.  In  this  case,  we  call  the  guessed  region  directly  inductive,  and  proving 
that  the  guess  is  correct  amounts  to  prove  that  for  all  j  £  N,  Postal)  =  IZ(j). 
This  can  be  performed  by  induction  using  a  theorem  prover.  In  particular,  we 
need  to  show  the  two  following  proof  obligations:  7£(0)  =  {Init(l)l  A  Inv(l)  \  l  £  L} 
for  the  base  step,  and  Vj  €  JN.Post(lZ(j ))  =  1Z(j  +  1)  for  the  induction  step. 
As  we  shall  see  in  Section  3,  these  proof  obligations  can  often  be  discharged 
automatically. 

In  other  situations  the  guessed  region  may  not  be  directly  inductive,  but  it 
can  be  made  so  by  introducing  new  variables  and  constraints.  For  instance,  the 
reachable  region  defined  by  expression  (3)  is  not  directly  inductive,  since  the 
natural-number  variable  i  does  not  represent  the  number  of  iterations.  But  this 
region  becomes  directly  inductive  by  adding  the  constraints  j  =  3i,  j  =  3i  +  1, 
and  j  =  3i  +  2  respectively  to  the  three  regions  in  the  set  (3).  That  is,  we  define 
the  sets  of  regions  7 Z(j)  =  {(si,  3i  £  N.(j  =  3i  Ai  >  \  Ax  <i  Ay  =  i  A  z  —  1)), 
(s'2, 3*  £  N.(j  =3i  +  lAi>lAx<iAy  =  iAz  =  1)),  (53, 3i  £  N.(j  =  3i  +  2A 
i  >  lAx  =  0Ay  —  z  +  iAi<y<i  +  1))}  and  now  the  “guess”  3 j  £ 
is  directly  inductive,  with  j  representing  the  number  of  iterations. 

Finally,  even  in  situations  when  the  guess  is  not  (or  cannot  be  transformed 
into)  directly  inductive,  a  useful  approach  is  to  prove  that  it  is  an  invariant 
of  the  system.  This  can  often  be  done  automatically  and  it  is  often  enough  in 
practice  for  proving  safety  properties.  We  present  sample  proofs  in  Section  4. 
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We  now  give  a  classification  of  hybrid  automata  according  to  the  theory  in  which 
their  reachable  region  can  be  written  finitely.  The  less  expressive  this  theory, 
the  less  interactive  theorem  proving  is  needed  for  doing  reachability  verification. 

3  Reachable  Region  Classification 

The  first  class  that  we  define  contains  in  particular  all  the  hybrid  automata  for 
which  reachability  construction  terminates. 

Definition  3.1  (polyhedral  hybrid  automata).  A  linear  hybrid  automaton 
is  polyhedral  if  its  reachable  region  can  be  expressed  as  a  set  of  pairs  {(1,  Pi)  \  £  L) 
such  that  for  each  location  l  £  L,  Pt  is  a  formula  of  the  theory2  {III,  +,  <).  □ 

We  say  a  linear  hybrid  automaton  is  finitely  constructible  if  its  reachability  con¬ 
struction  terminates:  i.e.,  for  some  k  £  N,  Post*(I)  =  Postk{I).  While  all 
finitely  constructible  hybrid  automata  are  polyhedral,  the  converse  is  not  true: 
it  is  easy  to  construct  a  hybrid  automaton  such  that  for  all  k  £  IN,  Postk{I )  is  the 
closed  interval  [0,fc];  thus,  the  reachable  region  Post* (I)  is  the  interval  [0,oo), 
but  reachability  construction  does  not  converge  in  finitely  many  steps.  The  class 
of  finitely  constructible  hybrid  automata  includes  the  timed  automata  [AD94] 
and  the  initialized  rectangular  hybrid  automata  [HKPV95]  (with  some  minor 
modifications  to  force  the  reachability  construction  to  terminate)  as  well  as  some 
other  restricted  classes  [KPSY93,  RR96]. 

Definition  3.2  (additive-inductive  hybrid  automata).  A  linear  hybrid  au¬ 
tomaton  is  additive-inductive  if  its  reachable  region  can  be  expressed  as  a  set 
of  pairs  {(l,  Pi)  \  l  £  L)  such  that  for  each  location  l  £  L,  Pi  is  a  formula 
of  the  theory  ( R,lN,+,< )  in  which  all  natural-number  variables  are  outermost 
existentially  quantified.  □ 

For  instance,  the  hybrid  automaton  in  Figure  1  is  additive-inductive:  we  have 
seen  that  its  reachable  region  (3)  involves  the  real  variables  x,y,z  and  the 
natural-number  variable  i,  which  is  outermost  existentially  quantified. 

Proposition  3.3.  The  class  of  polyhedral  hybrid  automata  is  strictly  included 
in  the  class  of  additive-inductive  hybrid  automata. 

Proof.  The  inclusion  is  obvious  (since  any  formula  of  (R,  +,  <)  is  also  a  formula 
of  ( R ,  IN,  +,  <)).  Let  us  show  that  the  inclusion  is  strict.  For  this,  consider  the 
hybrid  automaton  in  Figure  1.  We  have  seen  that  it  is  additive-inductive,  and  let 
us  suppose  it  is  finitely  constructible,  thus  polyhedral  by  a  previous  observation. 
Then,  formula  (4)  3 i  £  N.(i  >  l  Ax  <  i  A  y  =  i  A  z  =  1)  can  be  also  expressed  in 
the  theory  {R,  +,<);  that  is,  the  set  of  triples  ( x,y,z )  satisfying  (4)  constitute 
a  finite  union  of  convex  polyhedra  Pi,...  ,  Pn  in  R3  ■  Since  (4)  is  the  countably 

2  Whenever  we  define  a  logical  theory,  we  allow  (unless  explicitly  restricted)  arbitrary 
first-order  quantification  and  boolean  connectives. 
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infinite  union  \fisN(i  >  lAx<iAy  =  iAz  =  l),it  follows  that  at  least  one  of 
the  convex  polyhedra  Pj  coincides  with  the  union  of  infinitely  many  polyhedra 
of  the  form  (5)  (x<iAy  =  iAz  =  1).  This  is  not  possible,  because  the  union 
of  polyhedra  of  the  form  (5)  is  not  convex  (they  are  all  disjoint).  □ 

Suppose  the  user  can  guess  a  reachable  region  like  in  Definition  3.2  (using  the 
simple  heuristic  of  extrapolating  from  the  first  few  reachability  steps)  and  that 
furthermore  the  guess  is  directly  inductive  (cf.  end  of  Section  2).  Then,  verifying 
that  the  guess  is  correct  can  be  done  by  induction  in  a  completely  automatic  man¬ 
ner.  Indeed,  both  the  base  and  the  inductive  steps  of  the  proof  require  computing 
the  extension  and  projection  operations  (cf.  equations  (1),  (2)  of  Section  2)  for 
formulas  of  the  theory  (R,  IV,  +,  <).  This  amounts  to  proving  finitely  many  im¬ 
plications  of  the  form  Vx  £  Rn.Vi  £  Nm3y  £  R.ip(x,  i,  y)  =>-  ip(x,  i,  y).  Proving 
such  an  implication  can  be  done  automatically,  by  eliminating  the  existential 
quantifiers  on  the  real  variables  using  the  Fourier-Motzkin  algorithm  [Zie95] 
(transforming  the  universal  quantifiers  into  existential  ones  by  taking  the  nega¬ 
tion  of  the  formula  whenever  necessary).  At  the  end  we  are  left  with  a  formula 
of  Presburger  arithmetic,  which  is  decidable. 

In  the  situation  where  the  guessed  region  is  not  directly  inductive,  one  can 
still  attempt  make  it  directly  inductive  as  indicated  in  Section  2,  by  introducing 
new  variables  (one  of  which  represents  the  iteration  number)  and  new  constraints 
connecting  the  existing  and  the  new  variables.  Finally,  even  when  a  guess  is  not 
directly  inductive,  it  can  be  useful  (as  an  invariant  of  the  system)  to  prove  safety 
properties.  We  demonstrate  these  approaches  in  Section  4  on  some  well-known 
examples. 

We  now  define  a  class  of  linear  hybrid  automata  whose  reachable  region 
can  be  defined  in  terms  of  natural  and  real  numbers,  using  addition  and  multi¬ 
plication.  Consider  the  theory  (R,  IV,  -f,  -nxN,  'NxR,  <)  of  reals  and  naturals 
with  multiplication  between  naturals  -nxN,  multiplication  between  naturals  and 
reals  -nxR,  and  inequality.  Any  formula  in  this  theory  is  a  boolean  combination 
of  linear  inequalities  in  the  real  variables,  with  polynomial  coefficients  in  the 
natural-number  variables;  for  example,  (n3  —  1)  ■  x  +  m  ■  y  +  n  >  0,  where  x,y 
are  real  variables  and  m,n  are  natural-number  variables. 

Definition  3.4  (multiplicative-inductive  hybrid  automata).  A  linear  hy¬ 
brid  automaton  is  multiplicative-inductive  if  its  reachable  region  can  be  expressed 
as  a  set  of  pairs  {(l,  Pi)  |  l  £  L}  such  that  for  all  location  l  £  L,  Pi  is  a  formula 
of  the  theory  (R,  IN,  +,  -nxn,  'NxR,  <)  with  all  the  natural-number  variables 
outermost  existentially  quantified.  □ 

The  linear  hybrid  automaton3  in  Figure  2  is  multiplicative  inductive:  it  can  be 
shown  easily  that  the  reachable  region  at  location  si  is  defined  by  the  formula  (6) 
3n  £  IV.(n  >  1  A  x  =  1  A  ny  =  1  A  u  =  OAu  =  0),  where  x,  y,  u,  v  are  real 
variables,  and  n  is  a  natural-number  variable. 


3  In  Figure  2,  activities  x  =  y  =  u  =  v  =  0  at  all  locations  are  not  represented. 
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u  <v  —  l,u  :=  u+  l,x  :=  x  +  y 


r 

Si 

s _ _ 

x  =  y  i 

S2 

u  =  v  A  x  =  1 

_ 

u  :=  0 

u  :=  0,  v  :=  5 

Figure  2.  Multiplicative-inductive  hybrid  automaton 

Proposition  3.5.  The  class  of  additive-inductive  hybrid  automata  is  strictly 
included  in  the  class  of  multiplicative-inductive  hybrid  automata. 

Proof.  The  proof  of  this  proposition  is  based  on  the  following  observations. 
Given  two  predicates  ip  and  tp  on  the  real  variables  xi, . . .  ,xn,  we  identify  ip 
and  ip  with  the  sets  of  points  in  Rn  that  they  respectively  define.  We  define  the 
maximal  distance  A(ip,tp)  between  ip  and  tp  as  follows:  if  (p  or  tp  are  empty  then 
A((p,tp)  is  a  special  value  -L;  otherwise,  A(ip,tp)  is  the  lowest  upper  bound  of 
the  set  of  distances  in  Rn  between  a  point  satisfying  ip  and  a  point  satisfying  tp. 

Consider  now  an  additive-inductive  hybrid  automaton,  a  location  l  of  the  au¬ 
tomaton,  and  the  formula  3*i  £  F\  . . .  3 ig  £  JN.<p(x\ , . . .  xn,  i\  . . .  iq)  that  defines 
the  reachable  region  of  the  automaton  at  location  l.  Without  restricting  the 
generality,  it  is  possible  to  suppose  that  formula  ip  is  a  convex  linear  predicate  in 
variables  ®i *i, ..., i9.  We  define  a  sequence  (pm)m>i  of  linear  predi¬ 
cates  by  the  relation  tpm(xi , . . .  , xn)  =  ip(x i ,...xn,m...  , to);  i.e.,  the  sequence 
of  predicates  (<pm)m> l  is  obtained  by  replacing  in  formula  ip  all  integer  variables 
by  the  value  to.  Thus,  any  predicate  in  the  sequence  (ipm)m> l  is  a  convex  linear 
predicate  on  x\ , . . .  ,  xn;  that  is,  any  predicate  ipm  is  a  convex  polyhedron  in  Mn. 

We  now  define  the  sequence  (Am)m> i  by  Am  =  A(pm,  ipm+\)  for  all  to  >  1. 
We  show  that  the  sequence  {Am)m> i  can  behave  in  one  of  three  possible  man¬ 
ners.  In  the  first  case,  there  are  infinitely  many  polyhedra  ipm  that  are  empty 
and  thus  for  infinitely  many  to  >  1,  Am  =1.  Otherwise,  there  exists  an  index 
M  >  1  such  that  for  all  to  >  M,  all  polyhedra  pm  are  non-empty.  Then  it  can 
be  shown  that  for  all  to  >  M,  each  vertex  of  pm+ 1  is  obtained  from  some  vertex 
of  ipm  by  translation  by  some  constant  vector  w  E  Mn.  The  vector  w  depends 
on  the  vertex  but  not  on  the  index  to.  If  all  such  vectors  w  are  0,  then  we  have 
the  second  case:  for  all  to  >  M,  the  polyhedra  ipm  are  equal,  and  hence  the 
sequence  {Am)m>M  is  constant.  Otherwise,  at  least  one  vector  w  is  not  0  and 
we  have  the  third  case:  for  all  to  >  M,  Am  >  |u;|  >  0  (where  |w|  denotes  the 
length  of  vector  w) . 

Consider  now  the  hybrid  automaton  in  Figure  2  and  suppose  that  it  is 
additive-inductive.  We  have  seen  that  the  formula  (6)  3 i  £  N.(i  >  1  A  x  = 
1  a  i  •  y  =  1  A  v  =  0  A  u  =  0)  represents  the  reachable  region  of  this  hybrid 
automaton  at  location  S3.  We  apply  the  previous  constructions:  we  obtain  the 
sequence  of  predicates  pm  =  (x  =  l  Am-y  =  lAv  =  OAu  =  0)  and  the  sequence 
of  distances  Am  =  1/to(to  +  1),  for  all  to  >  1.  The  last  sequence  is  strictly 
decreasing  and  converges  to  0.  But  we  have  seen  that  this  cannot  be  the  case  for 
a  sequence  ( Am)m>i  obtained  (as  described  above)  from  the  reachable  region 
of  an  additive-inductive  hybrid  automaton.  Hence,  the  multiplicative-inductive 
hybrid  automaton  in  Figure  2  is  not  additive-inductive.  □ 
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Reachability  verification  can  still  be  applied  to  multiplicative-inductive  hybrid 
automata,  provided  the  user  guesses  the  reachable  region.  For  instance,  con¬ 
sider  the  hybrid  automaton  in  Figure  2,  whose  initial  region  I  is  defined  by 
location  s We  apply  reachability  verification:  we  guess  the  reachable  region 
at  location  S3  to  be  formula  (6)  above  (using  the  heuristic  of  observing  the  first 
steps  of  reachability  construction).  This  guess  is  furthermore  directly  inductive 
(cf.  end  of  Section  2):  to  prove  that  the  guess  is  correct,  we  show  by  induction 
that  for  all  k  >  1,  the  region  Postk(I)  at  location  S3  is  described  by  the  formula 
(x  =  1  A  k  ■  y  =  1  At)  =  0  A  u  =  0).  However,  unlike  the  case  of  additive- 
inductive  hybrid  automata,  this  proof  can  only  be  partially  automated.  Indeed, 
the  extension  and  projection  operations  (equations  (1),  (2)  of  Section  2)  can  be 
computed  automatically  for  predicates  in  (R,  JV,  +,  -nxN, -NxR  <):  these  oper¬ 
ations  require  eliminating  the  existential  quantifiers  on  the  real  variables,  which 
can  be  done  using  a  generalization  of  the  Fourier-Motzkin  algorithm  [BR97]. 
But  after  the  quantifier  elimination,  we  are  left  to  decide  a  first-order  formula  of 
the  (undecidable)  theory  (W,  +,  •,  <).  This  last  formula  has  to  be  dealt  with  by 
theorem  proving.  So,  the  verification  process  is  more  involved  than  in  the  case 
of  additive-inductive  hybrid  automata. 


x  :=  3x  -  Ay 
y  :=  Ax  +  3 y 


Figure  3.  Hybrid  automaton  with  exponential/trigonometric  reachable  region 

While  the  theory  of  natural  numbers  with  addition,  multiplication  and  order 
is  extremely  expressive  for  encoding  purposes,  there  exist  linear  hybrid  auto¬ 
mata  whose  reachable  regions  are  most  naturally  expressed  in  terms  of  other 
operations,  like  exponentials  and  trigonometric  functions.  Consider  the  hybrid 
automaton  in  Figure  3.  The  transition  sets  the  variables  to  new  values4  that  we 
denote  x',  y'.  Let  0  £  IR.be  such  that  5  cos 9  =  3.  Then,  we  have  x'  =  5(x  cos  0  — 
3/ sin  0),  3/  =  5(xsin0  +  y  cos 0).  Interpreted  as  a  vector  operation,  the  previous 
relations  just  say  that  vector  [s' ,  y']  has  a  length  5  times  greater  than  vector  [x,y], 
and  that  [x' ,y'}  is  rotated  by  angle  6  from  [x,y\.  Thus,  the  reachable  region  is 
defined  by  formula  3 n  £  IN 30  £  R.  (x  =  5”  cos  nO  A  y  =  5"  sin  nO  A  5  cos  9  =  3). 
This  would  suggest  that  reachable  regions  need  quite  expressive  theories  in  order 
to  be  expressed  finitely.  However,  it  is  easy  to  show  that  the  previous  region  can 
be  encoded  in  the  first-order  theory  of  integers  with  multiplication:  let  code(x,  y) 
be  an  encoding  function  of  pairs  of  integers  as  natural  numbers,  and  consider  the 
natural  numbers  of  the  form  (7):  2code^  •*' >  •  3<=ode(z2,y2) . . . . .. pcode{xn,yn) _  Her6] 

pn  is  the  n-th  prime  number,  and  xn,  yn  are  the  terms  of  the  sequence  defined 
by  X\  =  1,3/1  =  0,  and  the  transition  relation  of  the  automaton.  Clearly,  the  fact 
that  (xn,yn)  is  in  the  reachable  region  is  encoded  by  the  existence  of  natural 
numbers  of  the  form  (7),  which  can  be  described  in  the  theory  (N,  +,  •,  <). 

4  The  linear  assignments  can  be  simulated  by  appropriate  slopes,  tests,  and  resets. 
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Finally,  we  mention  a  restricted  subclass  of  linear  hybrid  automata  for  which  the 
reachable  region  can  be  computed  algorithmically,  even  though  reachability  con¬ 
struction  does  not  necessarily  terminate.  Some  well-known  examples  of  hybrid 
automata  (like  the  ones  we  discuss  in  Section  4)  are  in  this  class.  We  say  a  hybrid 
automaton  is  time-predictable  if  for  each  location  l'  and  each  pair  of  transitions 
(1,1')  and  (1,1")  with  destination  (resp.  with  origin)  l,  there  exists  an  interval  of 
]R+  such  that  transition  (s',  s")  can  be  fired  at  any  moment  within  the  given  in¬ 
terval,  after  the  firing  of  transition  (s,s').  We  say  a  hybrid  automaton  is  without 
nested  cycles  if  its  graph  is  equivalent  to  a  regular  expression  (on  the  transition 
names)  without  nested  *  operations.  We  have  proved5  that  time-predictable 
hybrid  automata  without  nested  cycles  are  additive-inductive  but  not  polyhe¬ 
dral  (cf.  Definitions  3.1,  3.2),  and  that  their  reachable  region  can  be  computed 
algorithmically,  by  a  procedure  different  from  reachability  construction.  This 
shows  that  there  exist  hybrid  automata  for  which  the  reachability  problem  is 
decidable,  even  though  reachability  construction  does  not  terminate. 


4  Hybrid  Automata  in  PVS 

We  outline  the  modeling  of  hybrid  automata  and  reachability  verification  in 
Pvs  [ORR+96].  First  we  specify  a  theory  polyhedra[n]  of  n-dimensional  poly- 
hedra  (parametric  in  the  dimension  n  €  IV).  It  contains  essentially  the  defini¬ 
tions  of  extension,  projection  (formulas  (1),  (2)  of  Section  2),  and  intersection 
operations  on  polyhedra.  Writing  such  first-order  predicates  in  the  higher-order 
Pvs  specification  language  is  straightforward.  Then,  we  write  another  theory 
that  is  specific  to  the  particular  hybrid  automaton  to  be  analyzed  (containing  the 
definition  of  the  automaton  features:  states,  transitions,  activities,  invariants, 
guards,  and  resets) .  This  second  theory  uses  (imports)  the  theory  polyhedra  [n] , 
instantiating  n  with  the  number  of  variables  of  the  hybrid  automaton.  Finally, 
in  a  third  theory  called  symbolic-analysis  we  specify  the  types  and  operations 
of  reachability  analysis  (independent  of  any  particular  hybrid  automaton):  the 
region  type  (record  of  state  and  polyhedron),  the  continuous  and  discrete  suc¬ 
cessors  of  a  region,  and  a  post  predicate  on  regions,  according  to  the  definition 
of  the  Post  operation  (cf.  Section  2): 


region  :  TYPE  =  [#  thestate:  state,  thepoly:  poly  #] 

continuous (rl: region)  :  region  = 

(# 

thestate:=  thestate(rl) , 

thepoly:=  intersection(extend(thepoly (rl) , 

slope (thestate (r 1) ) ) , invar (thestate (r 1) ) ) 

#) 


The  proof  is  not  presented  here  due  to  lack  of  space. 
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discrete  (rl: region,  t:trans)  :  region  = 

(# 

thestate  :=  dest(t), 

thepoly:=  intersection(project(reset(t) , 

intersection(thepoly(rl) , guard (t))) , 
invar (dest(t))) 


#) 


post (Rl,R2:setof [region])  :  bool  = 

FORALL  (r2:region):  member  (r2,R2) 
IMPLIES  EXISTS (rl: region, t:trans) : 
member (rl ,R1)  AND  orig(t)=thestate(rl) 
AND  r2  =  continuous (discrete (rl,t)) 

To  prove  statements  about  the  reachable  region  Post* (I),  we  use  induction  and 
the  predicate  post.  We  now  describe  the  application  of  reachability  verification 
to  examples  of  hybrid  systems  modeled  by  additive-inductive  hybrid  automata. 


The  leaking  gas  burner.  The  hybrid  automaton  in  Figure  4  models  a  leaking 
gas  burner  [CHR91]:  location  si  (resp.  S2)  stands  for  the  leaking  (resp.  the  non¬ 
leaking)  state  of  the  system;  variable  x  is  used  to  control  the  time  spent  in  each 
state,  variable  y  is  a  global  clock,  and  variable  z  measures  the  total  time  spent 
by  the  gas  burner  in  the  leaking  state.  A  design  requirement  for  the  leaking 


*<1  ] 

X  ^  I 

true 

x,y,z~  0 

x  :=  0 

X  -  1 
?:! 

x  >  30 

II  II  II 

OHh 

x  :=  0 

Figure  4.  Leaking  gas  burner  automaton 


gas  burner  is  that  in  any  interval  of  time  of  at  least  60  seconds,  the  leaking 
time  does  not  exceed  5%  of  the  total  time.  This  can  be  expressed  by  the  fact 
that  linear  predicate  y  >  60  =>  20 z  <  y  is  an  invariant  of  the  system  (i.e.,  true 
in  all  reachable  states).  The  specification  in  Pvs  of  this  example  includes  the 
theories  polyhedra  [n]  with  n  instantiated  by  3  (the  number  of  variables  of  the 
automaton),  and  symbolic-analysis  for  the  reachability  analysis  of  the  sys¬ 
tem.  The  system  itself  (hybrid  automaton  in  Figure  4)  is  specified  in  a  theory 
leaking-gas -burner,  that  contains  the  description  of  the  automaton:  loca¬ 
tions  with  invariants  and  differential  laws,  and  transitions  called  sl_to_s2  and 
s2_to_sl,  with  their  guards  and  variables  to  reset.  The  reachability  construc¬ 
tion  does  not  terminate6  but  by  studying  the  first  few  iterations,  one  can  guess 

6  Although  backwards  reachability  construction  terminates  in  this  case. 
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that  the  reachable  region  is  described  by  the  following  set  of  linear  regions  (from 
which  it  can  be  seen  that  the  hybrid  automaton  is  additive-inductive): 

{(si,0<a;<  l/Vc  —  y  =  zV3i  £  N.(i  >  1A0  <  x  <  lAO  <  z—x  <  *‘A30*+z  <  y )), 
(s2,0  <z<lf\y  =  x+zAx>0V3i  £  N.(i  >  1A0<  xA0<z  <  i+\A?>Qi-\-x+z<  y))} 

However,  this  guess  is  not  directly  inductive  (cf.  end  of  Section  2)  because  the 
natural-number  variable  i  does  not  represent  the  number  of  iterations.  It  is 
possible  to  make  the  guess  directly  inductive,  by  introducing  a  new  natural- 
number  variable  j  and  two  new  constraints  j  =  2i,  j  =  2i  +  1.  More  precisely, 
we  define  the  sets  of  regions  7 Z(j)  such  that  for  all  j  >  2,  7 Z(j)  is  equal  to: 

{(si,  3*  £  N.(i  >lAj  =  2iA0<x<lA0<z-x<iA  30*  +  z  <  y)), 

(s2, 3  i  £  IN.(i  >lAj=2i+lA0<xA  0<z  <*  +  1  A  30*  +  x  +  z<  */))} 

Furthermore,  7£(0)  equals  {(si,0  <  x  <  1  A  x  =  y  =  z),(s2,  false)}  and  7£(1) 
equals  {(si ,  false),  (s2,0  <  z  <  \  Ay  =  x  z  Ax  >  0)}.  Now,  the  new  “guess” 
3 j  £  i\r.7Z(j)  is  directly  inductive  (with  j  representing  the  number  of  iterations). 
We  prove  by  induction  on  j  that  Postal)  =  7 Z(j),  for  all  j  £  IN.  This  means 
that  Post* (I)  =  3 j  £  IN.TZ(j);  i.e.,  the  guess  of  the  reachable  region  is  correct. 

Finally,  to  prove  the  design  requirement  of  the  gas  burner  y  >  60  =>■  20z  <  y, 
we  prove  that  it  is  implied  by  Post*  (I).  Except  for  some  details  (like  the  ex¬ 
pansions  of  the  definitions  for  continuous,  discrete,  post  etc),  Pvs  can  do  all 
the  proofs  automatically,  using  its  built-in  decision  procedures. 


The  reactor  temperature  controller.  This  example  is  taken  from  [JLHM91]. 
It  is  a  variant  of  the  nuclear  reactor  temperature  control  problem,  in  which 
non-linear  evolutions  are  approximated  by  piecewise-linear  functions  [HHWT98]. 
The  reactor  automaton  (cf.  Figure  5)  has  three  locations:  in  the  no-rod  location, 


rod i _  7io-rod _  rod; 


x  >  510 

x  =  510 

x  <550 

x  =s  510 

’  x  >  510 

x  e  [-5,-1] 

2/1  =  1/2  =  1  j 

yi  ■■=  0 
x  =  550 

x  £  [1, 5] 

Vi  =2/2  =  1. 

2/2  :=  0 
x  -  550 

x  £  [-9,-5] 

2/i  =2/2  =  1 

vi  >  20 

Vi  >  20 

Figure  5.  Reactor  temperature  control  automaton 

the  temperature  x  increases  according  to  the  law  x  £  [1,5],  and  control  can  stay 
in  location  no-rod  as  long  as  the  temperature  does  not  exceed  550.  When  the 
temperature  reaches  550,  the  reactor  uses  one  of  two  cooling  rods,  and  the  control 
goes  to  a  location  where  temperature  decreases,  according  to  law  x  £  [-5,  -1]  or 
x  £  [—9,  —5],  depending  on  the  cooling  rod  that  is  used.  When  the  temperature 
falls  to  510,  the  rod  is  removed  and  the  reactor  goes  back  to  the  no.rod  location. 
After  a  rod  has  been  used,  it  cannot  be  used  again  before  20  time  units.  This  is 
specified  using  two  clocks  jq  and  7/2:  when  the  control  leaves  the  location  rodi 
(that  is,  rod  i  is  removed  from  the  reactor)  the  clock  variable  yt  is  reset,  and 
the  next  entry  to  location  rodi  is  guarded  by  the  condition  yi  >  20.  A  design 
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requirement  for  the  temperature  control  system  is  that  the  temperature  never 
reaches  the  upper  limit  (x  =  550)  in  the  no-rod  location  of  the  automaton  with 
both  rods  unavailable  (j/i  <  20  and  2/2  <  20).  The  reachability  construction 
from  the  initial  region  (location  no-rod,  variables  x  =  510,  j/i  =  y-i  =  20)  does 
not  terminate.  However,  the  reachable  region  behaves  in  a  regular  manner;  by 
studying  the  output  of  the  model  checker  HyTech,  it  can  be  guessed  that  the 
reachable  region  for  location  no.rod  (the  location  that  interests  us)  has  the  form: 

(x  <  550)  A  [(j/x  =  2/2  A  x  >  yi  +  490  A  x  <  5j/i  +  410)  V 
3*  £  N.(x  >  j/i  +510AX  <  5yi  +  510A2/2  >  2/1  +  36  +  28*  A2/2  <  2/i  +  100  +  80*)  V 
3 i  £  N.(x  >  2/1  +510 A 2  <  5y\  +510  Ay-2  >yi  + 16  +  28i A 2/2  <  2/i  +  80(1  +  *))  V 
3 *  £  N.(x  >  2/2+510Aa:  <  52/2 +510 A92/r  >  92/2  +  112+220*A2/i  <  2/2+48(*+2))V 
3 *  £  N.{x  >  2/2+510Aa;  <  52/2  +  5 10 A 92/i  >  9j/2  +292+220i A2/1  <  2/2  +  68+48*)]. 

We  prove  in  Pvs  that  the  above  predicate  is  an  invariant  at  location  no.rod 
of  the  automaton.  For  this,  we  show  that  our  guess  TZ  satisfies  ICR  and 
Post(IZ)  C  TZ.  This  is  enough  for  proving  the  design  requirement:  indeed, 
the  above  predicate  implies  the  negation  of  the  ‘dangerous’  region  x  =  550  A 
2/i  <  20  A  2/2  <  20,  so  the  design  requirement  is  met.  Except  for  details  like 
definition  expansion,  these  proofs  are  completely  automatic  in  Pvs. 

5  Conclusion 

We  have  presented  a  new  approach  to  the  reachability  problem  of  hybrid  auto¬ 
mata.  The  idea  is  to  guess  the  form  of  the  reachable  region  and  to  use  theorem 
proving  for  verifying  that  the  guess  is  correct.  We  have  classified  hybrid  auto¬ 
mata  according  to  the  theory  in  which  their  reachable  region  can  be  written 
finitely.  In  this  classification,  we  have  identified  the  additive-inductive  and 
multiplicative-inductive  hybrid  automata,  for  which  the  guess  can  be  done  using 
a  simple  heuristic  and  the  verification  by  induction.  We  have  presented  some 
applications  using  the  prover  Pvs.  In  the  future,  we  plan  to  automate  the 
method  as  much  as  possible  (including  automated  guess  heuristics  and  adapted 
strategies  for  the  Pvs  proofs)  for  being  able  to  cope  with  larger  examples. 

Related  work.  [BW94]  exploit  the  regularity  of  cycles  on  a  discrete  model 
(automata  with  counters).  Their  approach  is  fully  automatic  but  it  is  limited 
to  linear  operations  on  the  variables  that  are  idempotent.  [BBR97]  present  a 
similar  approach  for  a  restricted  class  of  hybrid  automata  (there  is  a  fixed  interval 
of  time  between  transitions),  but  their  method  is  fully  automatic.  Abstract 
interpretation  of  hybrid  automata  [HPR94]  would  automatically  recognize  the 
regularities  of  polyhedra  and  detect  an  invariant  which,  in  general,  is  only  an 
over-approximation  of  the  actually  reachable  states.  Finally,  [VH96]  describe  an 
approach  based  on  stepwise  refinement  for  the  verification  of  hybrid  systems, 
where  Pvs  is  used  to  prove  the  correctness  of  each  refinement  step. 

Acknowledgments.  Thanks  to  Natarajan  Shankar,  Luca  de  Alfaro,  Peter 
Habermehl,  and  the  anonymous  reviewers  of  the  Hybrid  Systems  workshop  for 
useful  comments  and  suggestions. 
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Abstract.  Decidability  results  for  the  verification  of  hybrid  systems 
consist  of  constructing  special  finite  state  quotients  called  bisimulations 
whose  properties  are  equivalent  to  those  of  the  original  infinite  state 
system.  This  approach  has  had  success  in  the  case  of  timed  automata 
and  linear  hybrid  automata.  In  this  paper,  the  powerful  frameworks  of 
stratification  theory  and  subanalytic  sets  are  presented  and  used  in  or¬ 
der  to  obtain  bisimulations  of  certain  analytic  vector  fields  on  analytic 
manifolds. 


1  Introduction 

Hybrid  systems  consist  of  finite  state  machines  interacting  with  differential  equa¬ 
tions.  Various  modeling  formalisms,  analysis,  design  and  control  methodologies, 
as  well  as  applications,  can  be  found  in  [2-4, 10, 13].  The  theory  of  formal  verifi¬ 
cation  is  one  of  the  main  approaches  for  analyzing  properties  of  hybrid  systems. 
The  system  to  be  analyzed  is  first  modeled  as  a  hybrid  automaton,  and  the 
property  to  be  analyzed  is  expressed  using  a  formula  from  some  temporal  logic. 
Then,  model  checking  or  deductive  algorithms  are  used  in  order  to  guarantee 
that  the  system  model  indeed  satisfies  the  desired  property. 

Many  verification  algorithms  are  essentially  reachability  algorithms  which 
check  whether  the  system  can  reach  certain  undesirable  regions  of  the  state 
space.  Even  though  for  finite  state,  discrete  systems  this  approach  has  had  suc¬ 
cess,  when  dealing  with  the  infinite  state  space  of  a  hybrid  automaton,  model 
checking  algorithms  are  in  danger  of  not  terminating.  Decidability  results  for 
analyzing  hybrid  systems  consider  special  finite  state  quotients  of  the  original 
infinite  state  hybrid  automaton  called  bisimulations  [11].  Bisimulations  are  spe¬ 
cial  quotient  systems  in  the  sense  that  checking  a  property  on  the  quotient 
system  is  equivalent  to  checking  the  property  on  the  original  system.  If  an  in¬ 
finite  state  hybrid  automaton  has  a  finite  state  bisimulation  then  the  analysis 
and  verification  procedure  is  decidable. 

*  Research  supported  by  the  Army  Research  Office  under  grants  DAAH  04-95-1-0588 
and  DAAH  04-96- 1-034 1 . 
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Obtaining  bisimulations  for  purely  discrete,  finite  state  automata  is  clearly 
decidable  since  the  underlying  state  space  is  finite.  Correspondingly,  the  process 
of  constructing  bisimulations  for  hybrid  systems  may  not  terminate  because  of 
the  infinite  cardinality  of  the  continuous  state  space  and  dynamics.  In  this  paper, 
we  consider  the  problem  of  constructing  finite  state  bisimulations  for  purely 
continuous  systems.  More  precisely,  given  an  analytic  vector  field  on  an  analytic 
manifold,  a  set  of  initial  conditions  and  a  set  of  unsafe  states,  we  would  like 
to  construct  a  finite  state  transition  system  such  that  checking  reachability  on 
the  finite  graph  is  equivalent  to  checking  reachability  of  the  original  continuous 
system. 

In  order  to  tackle  this  problem,  the  powerful  frameworks  of  subanalytic  sets 
and  stratification  theory  [5, 12, 16]  are  used.  Subanalytic  sets  are  an  important 
class  of  sets  having  many  desirable  “finiteness”  properties.  For  example,  rela¬ 
tively  compact  subanalytic  sets  have  finitely  many  connected  components.  In 
addition,  subanalytic  sets  are  closed  under  intersections,  unions,  complementa¬ 
tion  as  well  as  forward  images  under  proper  maps  and  inverse  images.  Stratifi¬ 
cation  theory  allows  us  to  deal  with  many  technical  issues  concerning  sets  and 
their  boundaries  and  is  crucial  in  refining  partitions.  With  these  tools  we  present 
an  algorithm  for  constructing  bisimulations  of  analytic  systems  as  well  as  a  proof 
that  the  algorithm  terminates  in  the  case  of  linear  vector  fields  in  1R2  with  real 
or  purely  imaginary  eigenvalues. 

The  outline  of  the  paper  is  as  follows:  In  Section  2  we  review  the  notion  of 
bisimulations  as  well  as  the  algorithm  for  computing  bisimulations  for  transition 
systems.  Section  3  presents  some  basic  facts  about  stratification  theory  and 
subanalytic  sets  and  in  Section  4  we  use  these  facts  to  construct  bisimulations 
of  analytic  vector  fields.  Finally,  Section  5  presents  interesting  issues  for  further 
research. 

2  Bisimulations 

A  more  detailed  exposition  of  the  material  described  in  this  section  can  be  found 
in  [11].  A  transition  system  H  =  (Q,  2 7,  — >■,  Qo,  Qf )  consists  of  a  set  Q  of  states, 
an  alphabet  S  of  events,  a  transition  relation  — yC  Q  x  E  x  Q,  a  set  Qo  C  Q  of 
initial  states,  and  a  set  Qf  C  Q  of  final  states.  The  transition  system  is  finite 
if  the  cardinality  of  Q  is  finite  and  it  is  infinite  otherwise.  A  region  is  a  subset 
RCQ.  Given  cgFwe  define  Prea{R)  as 

Prea(R)  =  {q  eQ  \  Bp  £  R  and  ( q,a,p )  G->} 


and  Pre(R)  as 

Pre(R)  =  (J  Prea{R) 


Let  ~C  Q  x  Q  be  an  equivalence  relation  on  the  state  space  and  let  Q/  ~  de¬ 
note  the  resulting  quotient  space.  A  — block  is  a  union  of  equivalence  classes. 
For  a  region  R  we  denote  by  R/  ~  the  smallest  ~-block  that  contains  R.  Thus, 
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Qo/  ~  and  Qf  /  ~  are  ~-blocks  containing  the  initial  and  final  states  respec¬ 
tively.  The  transition  relation  on  the  quotient  space  is  defined  as  follows:  for' 

Qi,Q2  €  Q/  (Qi,cr,  Qi)  iff  there  exist  q\  E  Q 1  and  q2  G  Qi  such  that 

(91,  cr,  92)  €-K  The  quotient  transition  system  is  then  H/  ~=  (Q/  ~,27, -hv 

>Qo/  ~,Qf/  ~)- 

The  quotient  system  H/  ~  is  a  bisimulation  of  if  iff  Qf  is  a  ~-block  and  for 
all  a  E  27  and  all  ~-blocks  R,  the  region  Prea(R)  is  a  ~-block.  A  bisimulation 
is  called  finite  if  it  has  a  finite  number  of  equivalence  classes.  Bisimulations  are 
very  important  because  bisimilar  transition  systems  generate  the  same  language. 
Therefore,  checking  properties  on  the  bisimilar  quotient  is  equivalent  to  checking 
properties  of  the  original  transition  system.  This  is  very  useful  in  reducing  the 
complexity  of  various  verification  algorithms.  In  addition,  if  H  is  infinite  and 
H /  ~  is  a  finite  bisimulation,  then  verification  algorithms  for  infinite  systems  (for 
example,  hybrid  systems)  are  guaranteed  to  terminate.  A  successful  application 
of  this  approach  for  timed  automata  can  be  found  in  [1]. 

Two  states  p,q  E  Q  are  bisimilar  denoted  p  «  q  iff  there  exists  a  bisimulation 
~  such  that  p  ~  q.  It  can  be  shown  that  if  p  rs  q  then 

1.  p  E  Qf  iff  q  €  Qf 

2.  if  (p,  <7,  p')  E— >  then  there  exists  q'  such  that  (q,  a,  q')  6— >  and  p'  ss  q' 

3.  if  (9,  a,  q')  G— >■  then  there  exists  p'  such  that  (p,  <r,p')  E—>  and  p'  ss  q' 

It  should  be  noted  that  the  notion  of  bisimulation  is  very  similar  to  the  notion  of 
dynamic  consistency  [7].  Given  a  transition  system  H,  the  following  algorithm 
computes  the  bisimilarity  partition.  The  algorithm  terminates  if  the  bisimilarity 
quotient  is  finite. 

Algorithm  (Bisimilarity  for  transition  systems) 

Set  Qj  ~=  {Qf ,  Q  \  Qf } 

while  3  R, R1  E  Q/  ~  and  0  E  27  such  that  0  C  R  H  Prea(R')  C  R,  do 
refine  Q/  ~=  (Q/  ~  \{R})  U  {i?  n  Pre0{R'),R  \  Prea{R!)} 

end  while 

Initially  the  quotient  space  consists  of  two  equivalence  classes,  Qf  and  Q  \  Qf 
(here  \  denotes  set  difference).  The  algorithm  then  checks  whether  there  exist 
~-equivalence  classes  whose  preimage  under  Prea  for  some  cr  is  neither  empty 
nor  a  ~-equivalence  class.  If  there  are  none  then  a  bisimilarity  quotient  has  been 
reached.  Otherwise  there  exists  R,  R'  E  Q /  ~  such  that  RC 1  Pre„(R')  ^  0  and 
RC\  Prea(R')  is  a  proper  subset  of  R  for  some  cr  G  27.  Then  the  algorithm  refines 
the  partition  by  splitting  R  into  RC\Prea{R')  and  R\Prea(R’).  This  procedure 
is  repeated  either  forever  or  until  a  bisimilarity  quotient  is  reached. 

Inspired  by  the  above  bisimulation  algorithm,  we  would  like  to  have  an  algo¬ 
rithm  for  obtaining  finite  bisimulations  of  analytic  vector  fields.  More  precisely, 
the  original  transition  system  consists  of  a  (infinite  cardinality)  real  analytic 
manifold  M  and  the  transition  relation  is  generated  by  the  flow  of  an  analytic 
vector  field.  A  collection  of  subsets  A  of  M  can  be  used  to  describe  initial  con¬ 
ditions,  guards  conditions,  invariants  as  well  as  undesirable  regions  of  the  state 
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space.  These  sets  typically  exist  within  each  discrete  location  of  a  hybris  system. 
Given  A  we  attempt  to  partition  M  into  a  finite  bisimilarity  quotient  MJ  ~. 
If  the  attempt  is  successful,  then  checking  reachability  of  various  elements  of 
A  can  be  directly  done  on  the  finite  transition  system  M/  ~.  Even  though  an 
algorithm  computing  bisimulations  may  not,  in  general,  terminate,  it  may  be 
feasible  to  guarantee  termination  for  certain  classes  of  vector  fields  and  sets.  In 
order  to  tackle  these  very  interesting  questions,  we  will  use  the  framework  of 
subanalytic  sets  and  stratification  theory. 

3  Subanalytic  Sets  and  Stratifications 

3.1  Real  analytic  functions,  Manifolds,  and  Stratifications 

In  this  section  we  describe  some  fundamental  properties  of  subanalytic  sets.  We 
concentrate  on  properties  which  are  useful  for  the  purpose  of  constructing  a 
bisimulation  for  the  flow  of  a  real  analytic  vector  field.  The  most  important 
result  here  is  the  Stratification  Theorem  (Theorem  2).  For  this  and  other  impor¬ 
tant  results  on  subanalytic  sets  the  main  references  are  [5, 12, 16].  We  begin  by 
recalling  several  standard  concepts  and  facts  (see  [6]  and  [9]  for  more  details). 
In  this  paper,  “manifold”  means  finite-dimensional,  Hausdorff,  second  countable 
manifold.  We  say  a  manifold  is  real  analytic  (C“)  if  the  transition  maps  between 
local  charts  are  analytic  functions  on  their  domains  (which  are  open  subsets  of 
M").  An  embedded  submanifold  S  of  a  manifold  M  is  a  topological  subspace  of 
M  together  with  a  differentiable  structure  such  that  the  inclusion  from  S  into 
M  is  a  smooth  immersion  (i.e.  has  full  rank  at  every  point).  A  vector, field  X  on 
the  real  analytic  manifold  M  is  analytic  if  its  coordinates  in  any  local  chart  are 
analytic.  If  X  is  an  analytic  vector  field  then  any  integral  curve  of  X  is  analytic. 

We  are  interested  in  intersection  properties  of  sets.  From  this  point  of  view, 
infinitely  differentiable  (C°°-)  functions  are  not  sufficiently  “nice” .  For  example, 
it  is  not'  hard  to  construct  a  C°° -function  whose  zero  set  is  a  Cantor-like  set. 
(In  fact,  any  closed  subset  of  M  is  the  zero  set  of  some  C°°-function.)  On  the 
other  hand,  real  analytic  functions  are  free  from  such  pathologies.  The  following 
classical  result  illustrates  this  point. 

Theorem  1.  Let  I  be  an  open  interval  and  f:  I  — >  M  be  an  analytic  function. 
Let  Z  =  {x  Q.  I\f(x)  =  0}.  Then  either  Z  =  I  or  Z  has  no  accumulation  point 
in  I.  Equivalently,  if  f  is  not  identically  zero,  then  every  compact  subset  of  I 
contains  at  most  a  finite  number  of  zeros  of  f . 

Definition  1.  Let  M  be  a  real  analytic  manifold.  An  analytic  {Cw)  stratification 
of  M  is  a  partition  S  of  M  with  the  following  properties: 

1.  each  S  E  S  is  a  connected,  real  analytic,  embedded  submanifold  of  M, 

2.  S  is  locally  finite  (i.e.  every  compact  subset  of  M  intersects  at  most  finitely 

many  sets  in  S),  __  _ 

3.  given  two  sets  S,P  E  S,  P  ^  S,  such  that  S  fl  P  0  then  S  C  P  and 
dim S  <  dimP.  (We  denote  by  P  the  closure  of  P.) 

The  sets  in  a  stratification  are  called  strata. 
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3.2  Semianalytic  and  subanalytic  sets 

Let  M  and  N  be  real  analytic  manifolds  and  let  CU(M,N)  denote  the  set  of 
analytic  functions  from  M  into  N.  (If  /  £  CU(M,  N )  we  say  /  is  of  class  Cu.) 
Given  an  analytic  manifold  U,  we  denote  by  E(C“  (17,  M))  the  Boolean  algebra 
generated  by  the  sets  of  the  form  {x  :  f{x )  =  0}  or  {a;  :  f{x)  >  0},  where 
/  6  C"(17,M). 

Definition  2.  Let  M  be  a  real  analytic  manifold.  A  subset  A  of  M  is  semi¬ 
analytic  in  M  if  for  every  p  £  M,  there  is  an  open  neighborhood  U  of  p  in 
M  such  that  U  D  A  £  U(CW(U,  M)).  If  A  C  M  is  semianalytic  in  M  we  write 
AgSMAN(M). 

Definition  3.  Let  M  be  a  real  analytic  manifold.  Define  SBANrc(M)  and 
SBAN(M)  by 

1.  A  £  SBANrc(M)  if  and  only  if  there  is  ( N,f,A *)  such  that  N  is  a  real 
analytic  manifold,  f  £  CU(N,M),  A*  £  SMAN(A’),  A*  is  relatively  compact 
and  A  =  /(A*); 

2.  A  £  SBAN(M)  if  and  only  if  A  is  a  locally  finite  union  of  members  of 
SBAN  rc(M). 

We  say  that  A  is  subanalytic  in  M  if  A  £  SBAN  (M) .  It  is  easy  to  see  that 
A  £  SBANrc(M)  if  and  only  if  A  is  subanalytic  in  M  and  relatively  compact.  The 
following  properties  of  subanalytic  sets  are  easily  derived  from  the  definitions. 

1.  SBAN (M)  is  closed  under  locally  finite  unions  and  intersections. 

2.  If  A  £  SBAN(M)  and  /:  M  — ■¥  N  is  of  class  Cu  and  proper  on  A,  then 
f(A)  £  SBAN(N).  (A  function  /  is  proper  if  f~l(K)  is  compact  whenever 
K  is.) 

3.  If  A  £  SBAN (TV)  and  /:  M  — >  N  is  of  class  Cu,  then  /-1(A)  £  SBAN(M). 

The  following  two  properties  require  more  subtle  proofs.  They  can  be  derived 
from  the  the  stratification  theorem  for  subanalytic  sets. 

4.  If  A  £  SBAN (M)  then  M  \  A  £  SBAN(M). 

5.  A  subanalytic  set  has  a  locally  finite  number  of  connected  components,  each 

of  which  is  subanalytic.  t 

Example  1.  Points  are  subanalytic,  and  so  is  any  locally  finite  union  of  points, 
for  example  7Ln  as  subset  of  Mn.  The  empty  set  and  M  are  both  in  SBAN (M). 
Let  a,  b  £  M,  a  <  b,  then  [a,  b],  [a,  b),  (a,  6]  and  (a,  b)  are  subanalytic  in  M.  The 
open  ball  B(p,  r)  centered  at  p  of  radius  r  in  1"  is  in  SBAN(®”). 

Example  2.  In  general,  as  is  clear  from  the  definition,  SMAN(M)  is  contained 
in  SBAN(M).  In  particular,  any  semialgebraic  subset  of®”  is  in  SBAN(M"). 

The  following  properties  clarify  further  the  relation  between  subanalytic  sets 
and  their  ambient  space.  Here  we  assume  that  M  is  a  real  analytic  manifold. 
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6.  Let  N  be  a  C“,  embedded  submanifold  of  M.  Then  A  £  SBAN(M)  => 
A(~)N  £  SBAN(TV). 

7.  Let  N  be  as  in  (5).  Let  A  C  N  be  relatively  compact  and  A  C  N .  Then 
A  £  SBAN(A)  =>  A  £  SBAN(M). 

8.  For  every  p  £  M  and  every  neighborhood  W  of  p,  there  exists  an  open 
neighborhood  Vp  of  p  such  that:  (a)  Vp  is  relatively  compact,  (b)  Vp  C  W, 
and  Vp  £  SBAN(M). 

Remark  1.  Let  N  be  a  C“,  embedded  submanifold  of  M .  Then  if  A  6  SBAN(A) 
and  N  £  SBAN (M)  it  does  not  follow  that  A  £  SBAN(M),  as  the  following 
example  shows. 

Example  3.  Consider  the  set  S  =  {L :  n  £  N}.  As  a  subset  of  the  open  interval 
(0,  oo)  the  set  S  is  subanalytic  since  every  compact  subset  of  (0,  oo)  intersects 
S  in  finitely  many  points.  However,  as  a  subset  of  M  it  is  not  subanalytic.  (See 
Theorem  1.) 

Theorem  2  (Stratification  Theorem).  Let  M  be  a  real  analytic  manifold 
and  A  C  SBAN(M),  A  locally  finite.  Then  there  is  a  Cw  stratification  S  of  M 
such  that: 

1.  SC  SBAN (M), 

2.  S  is  compatible  with  A.  That  is,  every  set  in  A  is  a  union  of  strata  from  S. 

Remark  2.  It  is  possible  to  obtain  stratifications  in  which  the  strata  have  ad¬ 
ditional  properties.  We  mention  one  here  which  will  be  useful  in  the  proof  of 
Theorem  5.  A  block  in  M  is  a  relatively  compact,  connected,  Cu ,  embedded  sub¬ 
manifold  5  of  M  such  that  there  exists  a  Cu  surjective  diffeomorphism  <j>:  C  — >  S 
—  where  C  is  the  open  unit  cube  in  and  k  =  dim  5  —  such  that  the  graph 
of  <t>  is  subanalytic  in  Mk  x  M.  We  will  assume  from  now  on  that  the  strata  in  S 
are  blocks. 

The  following  theorem  is  very  useful  in  proving  that  certain  sets  are  suban¬ 
alytic. 

Theorem  3.  Consider  any  formula  F  of  first  order  predicate  calculus  with  free 
variables  x\, ...  ,xn  in  analytic  manifolds  M\ , . . .  ,  Mn ,  which  is  obtained  from 
formulae  in  some  set  T  that  involve  the  x,-  and  other  variables  yj  (yj  £  Nj,  Nj 
an  analytic  manifold)  by  means  of  the  logical  operations  of  conjunction,  disjunc¬ 
tion,  negation,  universal  and  existential  quantification.  Suppose  that  the  quan¬ 
tifications  are  locally  bounded  (i.e.,  that  every  time  a  quantifier  Qxi  occurs, 
with  Q  =  3  or  Q  =  V,  then,  if  SQ(xi,y)  is  the  scope  of  Qxi  and  y  are  the 
other  variables  that  are  free  in  Sq,  it  follows  that  for  every  compact  set  K  of 
the  y  domain  there  is  a  compact  J  of  the  x 8-  domain  such  that,  for  each  y  £  K , 
“(Qx^Sq {xi,y) ”  is  satisfied  if  and  only  if  “(Qxi  £  J)Sq(xi,y)”  is  satisfied). 
Then  if  the  formulae  in  J-  define  subanalytic  sets,  so  does  F. 
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The  theorem  is  simply  a  consequence  of  the  closure  properties  of  the  class  of 
subanalytic  sets  under  Boolean  operations  and  taking  direct  and  inverse  images 
(provided  that  in  the  case  of  direct  images  the  map  is  proper,  see  [16]).  In  view 
of  this  result  one  can,  in  many  cases,  prove  that  a  set  is  subanalytic  by  writing 
its  definition.  The  following  is  an  example. 

Proposition  1.  Let  X  be  an  analytic  vector  field  on  K".  Let  S  C  Kn  be  a  Cw , 
embedded  submanifold,  which  is  also  a  subanalytic  set.  Let  F  =  {q  E  S:  X(q)  £ 
TqS}  (here  TqS  is  the  tangent  space  to  S  at  q).  Then  F  is  subanalytic  in  1". 

Proof.  We  can  write  F  —  X~l(TqS)  and  a  tangent  vector  (q,  v)  is  in  TqS  if  and 
only  if 

}65a(»  =  0V 

(Ve  (0  <  e  <  1)  =>•  (3 p  (p  £  S  Ap  ^  q  A  (3r  >  0  3s  >  0  (r2  =  \\p—  <?||2 
A  s2  =  |H|2  A  ||s(p  -  q)  -  rv ||2  <  e2rV  A  \\q  -  p|| 2  <  e2)))))) 

Moreover,  as  long  as  q  remains  in  a  compact  set,  the  variables  p,  r,  and  s  can 
be  restricted  to  lie  in  a  compact  set.  □ 

The  following  proposition  can  be  proved  similarly  and  will  be  used  in  the 
proof  of  the  Theorem  5. 

Proposition  2.  Let  <f> :  (0, 1)  — ►  R  be  a  Cu  surjective  diffeomorphism  with  R  C 
SBANrc(Rn).  Then  lim^o  and  lims_>i  exist. 

A  deeper  and  more  central  result  for  our  analysis  is  the  following.  For  a  proof 
see  [15]. 

Theorem  4.  Let  A  be  a  locally  finite  family  of  nonempty  subanalytic  subsets 
of  a  real  analytic  manifold  M .  For  each  A  £  A,  let  F(A)  be  a  finite  set  of  real 
analytic  vector  fields  on  M.  Then  there  exists  a  subanalytic  stratification  S  of 
M ,  compatible  with  A,  and  having  the  property  that,  whenever  S  6  S,  S  C  A, 
A  £  A,  X  £  F(A),  then  either  (i)  X  is  everywhere  tangent  to  S  or  (ii)  X  is 
nowhere  tangent  to  S. 

We  finish  this  section  with  a  simple  proposition  which  illustrates  some  of 
the  good  intersection  properties  that  analytic  curves  have  with  subanalytic  sets. 
The  “finiteness”  property  indicated  in  the  proposition  makes  it  possible  to  define 
transitions  between  strata  in  a  natural  way. 

Proposition  3.  Let  I  be  an  open  interval,  M  a  real  analytic  manifold  and 
7:  /  — >  M  a  real  analytic  function.  Let  S  be  a  Cu  stratification  of  M  by  subana¬ 
lytic  sets  (that  is,  S  £  S  =>  S  £  SBAN(M) ).  If  [a,  b]  C  I  then  there  exists  a  finite 
partition  {a;i, . . .  ,  x„}  of  [a,  6]  with  the  property  that  for  each  i  =  1, . . .  ,  n  —  1 
there  exists  a  stratum  Si  £  S  such  that  C  5,-. 
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Proof.  Consider  the  family  2  =  {7-1  (S)  fl  [a,  b] :  S  £  S} .  Since  7([a,  4 ])  is  com¬ 
pact  and  S  is  locally  finite,  the  family  I  is  a  finite  partition  of  [a,  4],  By  Property  3 
of  subanalytic  sets  the  sets  in  1  are  subanalytic  in  I.  By  Theorem  2,  there  exists 
a  Cw  stratification  J  of  [a,  4]  compatible  with  I.  Therefore,  J  consists  of  a  fi¬ 
nite  number  of  points  and  open  intervals.  Moreover,  for  each  J  £  J  there  exists 
S  €  S  such  that  7 (J)  C  £,  as  desired.  □ 

Example  4 ■  The  assumption  of  subanalyticity  in  the  proposition  can  not  be 
dropped.  Consider  the  stratification  of  M2  by  the  following  five  sets: 


Si 

=  {(0,0)} 

s2 

H 

[(*,*/)•' 

x  >  0 

A 

y  = 

*  1  \ 
x  sm  —  > 
x  J 

S3 

H 

[(*>  v)'- 

x  <  0 

A 

y  = 

•  H 

x  sm  —  > 
x  J 

s4 

H 

r  (*,  y)  ■ 

x  5^  0 

A 

y  > 

xsinijljm  y)- 

y  >  0} 

Ss 

H 

(x,  y)  ■ 

x  /  0 

A 

y  < 

x sin  {(0>  y)- 

y  <  0} 

Notice  that  £1, 

Si 

and  , 

£3  form 

the 

graph  of  the  function  f(x)  =  xsin 

(/( 0)  =  0),  while  54  and  £5  denote  the  region  above  and  the  below  the  graph, 
respectively.  Each  set  is  a  Cw ,  embedded  submanifold  of®2  and  they  clearly  sat¬ 
isfy  the  condition  on  the  dimension  of  the  strata  in  the  closure  of  other  strata. 
Finally,  consider  the  constant  vector  field  X  =  ■§%.  Then  the  integral  curve  7  of 
X  through  (0,0)  is  the  x-axis  (parameterized  by  x  itself).  Therefore,  the  image 
by  7  of  any  interval  containing  0  intersects  both  £4  and  £5  an  infinite  number 
of  times. 


Fig.  1.  Infinite  crossings  on  a  compact  interval 
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4  Bisimulations  of  Analytic  Vector  Fields 

Here  we  describe  a  process  for  the  construction  of  a  bisimulation  for  the  flow  of 
a  real  analytic  vector  field.  We  assume  that  we  are  given  a  real  analytic  vector 
field  A  on  a  connected  real  analytic  manifold  M  as  well  as  a  finite  family  A  of 
relatively  compact  subanalytic  sets.  These  sets  may  describe  initial  conditions, 
guards,  invariants  or  undesirable  regions  of  the  continuous  evolution  within  a 
discrete  location  of  a  hybrid  automaton. 

We  now  invoke  Theorem  4  (here  there  is  a  single  vector  field  on  every  stratum) 
to  obtain  a  stratification  S  of  M  by  subanalytic  sets  which  is  compatible  with 
A  and  such  that  on  each  stratum  X  is  either  everywhere  tangent  or  nowhere 
tangent.  More  precisely,  for  each  S  £  S  either:  (1)  for  all  q  in  S,  X  is  tangent  to 

5  at  q,  or  (2)  for  all  q  in  S,  X  is  not  tangent  to  S  at  q.  We  now  wish  to  study 
how  the  integral  curves  of  X  enter  and  leave  each  stratum  of  S.  For  this  we  need 
a  more  precise  definition  of _what  we  mean  by  entering  and  leaving  a  stratum. 

Definition  4.  Given  two  subsets  S,  T  of  M,  and  a  real  analytic  curve  7  :  I  — > 
M  (I  an  open  interval),  we  say  that  7  leaves  S  through  T  (or  enters  T  from  S ) 
if  one  of  the  following  exiting  conditions  is  satisfied: 

El  there  exist  a,b  £  I  such  that  7 (t)  £  S  for  all  t  £  (a,  b)  and  7 (b)  £  T 
E2  there  exist  a,b  €  I  such  that  7 (a)  £  S  and  7 (t)  £  T  for  all  t  £  (a,  6). 

The  following  proposition  shows  that  this  definition  covers  all  possible  “ex¬ 
iting”  situations  for  strata  of  S. 

Proposition  4.  Let  S  £  S  and  7  be  as  above.  If  there  exists  to,ti  £  I  such  that 
l(to)  £  S  and  7(^1)  £  S  then  there  is  a  stratum  T  such  that  either  El  or  E2 
holds. 

It  is  clear  from  Definition  4  that  in  case  El,  T  fl  S  ^  0.  By  property  3  of 
a  stratification,  we  conclude  T  C  S  and  dimT  <  dim  S.  Similarly  in  case  E2, 
S  C  T  and  dimS  <  dimT. 

Definition  5.  We  call  a  stratum  S  £  S  tangential  if  the  vector  field  X  is  tangent 
to  S  at  every  point  of  S.  We  call  a  stratum  transversal  otherwise. 

The  following  proposition  clarifies  further  the  possible  exit  situations. 

Proposition  5.  Let  S,  T  be  strata  in  S  and  7  an  integral  curve  of  X  which 
leaves  S  through  T.  Then  one  ( and  only  one)  of  the  following  holds: 

o 

1.  condition  El  holds,  S  is  a  tangential  stratum  and  T  is  a  transversal  stratum. 

2.  condition  E2  holds,  S  is  a  transversal  stratum  and  T  is  s  tangential  stratum. 

Our  goal  is  to  construct  a  bisimulation  as  a  quotient  of  the  equivalence  rela¬ 
tion  induced  by  the  stratification  S.  More  precisely,  we  would  like  to  define  the 
equivalence  relation  ~s  by  p  q  iff  p,q  belong  to  the  same  stratum  of  S.  In 
Mj  ~s  there  is  a  transition  from  the  stratum  S  to  the  stratum  T  iff  an  integral 
curve  of  X  leaves  S  through  T.  In  order  to  obtain  a  bisimulation  we  need  the 
stratification  S  to  satisfy  the  following  two  conditions: 
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1.  if  an  integral  curve  of  X  starting  at  a  point  of  the  stratum  S  does  not  exit 

S,  then  no  other  integral  curve  starting  in  S  leaves  S, 

2.  whenever  an  integral  curve  of  X  which  starts  in  S  leaves  the  stratum  through 

T,  then  all  other  integral  curves  which  start  in  S  leave  the  stratum  through 
T. 

In  order  to  satisfy  those  conditions  we  refine  the  stratification  further  ac¬ 
cording  to  exit  features  of  the  integral  curves.  We  describe  the  iterative  process 
below,  which  is  analogous  to  the  bisimulation  algorithm  described  in  Section  2. 
If  the  process  terminates  we  obtain  the  desired  bisimulation. 

Definition  6  (Refinement  Process).  The  process  has  two  steps  which  will 
need  to  be  iterated.  In  the  first  step  we  refine  the  tangential  strata  and  in  the 
second  we  refine  the  transversal  strata. 

Step  1  Let  S  be  a  tangential  stratum.  For  each  T  £  S,  T  C  S,  T  S  let  St 
denote  the  set  of  points  q  £  S  for  which  the  integral  curve  of  X  through  q 
leaves  S  through  T.  Let  So  =  S  \  U St,  where  the  union  is  taken  over  all 
strata  T  contained  in  S  and  different  from  S.  So,  So  is  the  set  of  points 
q  £  S  such  that  the  integral  curve  of  X  through  q  at  time  t  =  0,  remains 
in  S  for  all  t  >  0.  We  subdivide  S  into  the  sets  St  and  So .  This  is  a  finite 
subdivision  of  S. 

Step  2  Let  R  be  a  transversal  stratum.  Let  Rb  =  {S  £  S  :  S  R,  R  C  S}.  For 
each  S  £  Rb  and  T  C  S  (T  ±  S),  let  Rsr  be  the  set  of  points  r  £  R  such  that 
the  integral  curve  through  r  leaves  R  through  St  ■  Also,  let  Rs0  denote  the 
set  of  points  r  £  R  such  that  the  integral  curve  through  r  leaves  R  through 
So-  We  subdivide  R  into  the  sets  RsT,Rs0  where  S  varies  over  Rb.  This  is 
a  finite  subdivision  of  R. 

Remark  3.  The  new  subdivision  sets  from  Step  1  and  Step  2  are  not  in  general 
subanalytic.  Therefore,  Step  2  requires  some  clarification  since  we  claim  that 
trajectories  “leave  R  through”  one  of  the  sets  St  or  So-  According  to  definition  4 
we  need  to  verify  either  El  or  E2.  The  following  proposition  gives  the  key 
argument. 

Proposition  6.  Assume  the  tangential  stratum  S  is  subdivided  as  in  Step  1.  Let 
7  :  [to,*i]  — t  M  be  an  integral  curve  of  X  such  that  7 (t)  £  S  for  to  <t<ti-  If 
there  exists  a  set  S,  resulting  from  the  subdivision  of  S  such  that  7(^0)  G  S *  and 
y(ti)  £  5*  then  7 (t)  £  5,  for  t0  <  t  <  ti- 

Proof.  It  follows  immediately  from  the  definition  of  the  sets  in  Step  1,  since 
once  a  point  of  a  trajectory  is  in  one  such  set,  then  for  as  long  as  the  trajectory 
remains  in  S  it  will  belong  to  the  same  set.  □ 

Notation:  we  will  write  -yq  to  denote  the  integral  curve  of  X  which  passes 
through  q  at  time  0,  i.e.  with  7g(0)  =  q. 

Proposition  7.  With  S  and  R  as  above,  for  each  q  £  R  such  that  leaves  R 
through  S,  there  exists  S*  ( S *  =  St  for  some  T  or  S*  =  So)  such  that  ~fq  leaves 
R  through  5*. 
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Proof.  Let  7g  :  I  -4  M,  a,  b  G  I  be  such  that  7(a)  G  Li  and  7(f)  E  S  fox  a  <t  <b 
(we  are  assuming  i?  is  transversal  so  E2  holds).  Let  Si, ...  ,Sk  be  the  sets  in 
the  subdivision  of  S  given  by  Step  1.  Let  f,-  =  inf{t  G  ( a ,  b)  :  7g(f)  G  S',}.  Then 
a  =  min{t,-}  =  f,-0  for  some  z'o.  We  claim  that  7 q  leaves  R  through  Si0.  To  see 
this  let  si  G  (a,  6)  be  such  that  7g(si)  G  S,-0.  Suppose  there  is  s  with  a  <  s  <  si 
and  7g(s)  G  Sj  for  j  ^  zq.  Then  there  exists  sq  with  a  <  sq  <  s  <  si  and 
7g(so)  G  Si0.  But  this  contradicts  the  previous  proposition,  so  we  must  have 
7g(s)  G  Sio  for  a  <  s  <  si-  □ 


Notice  that  in  Step  2  we  may  be  subdividing  some  sets  which  are  in  the 
closure  of  some  tangential  set.  This  requires  the  iteration  of  the  two  steps.  In 
general,  we  should  not  expect  this  process  to  terminate  even  if  we  deal  with  a 
finite  number  of  strata  or  if  we  limit  our  study  to  a  compact  set.  The  following 
example  illustrates  this  point  (see  Figure  2) . 


Example  5.  Let  M  =  M2  and  X  be  the  linear  vector  field 


-1  1 
-1  -1 


x.  Assume 


the  stratification  consists  of  the  following  five  strata:  Si  =  {(0, 0)},  S2  =  {(4, 0)}, 
S3  =  {(x,0)  :  0  <  x  <  4},  S4  =  {(z,0)  :  x  >  4},  and  S5  =  ffi2\u|_iS,-.  The 


Fig.  2.  Process  does  not  terminate 


integral  curves  of  X  are  spirals  moving  away  from  the  origin.  Here  Si  and  S5 
are  tangential  strata.  The  others  are  transversal  strata.  There  is  no  subdivision 
possible  (or  necessary)  for  Si.  The  curves  through  S5  exit  at  one  of  the  three 
strata  S2,  S3,  or  S4.  Step  1  requires  that  we  subdivide  S5  into  three  regions. 
Two  regions  are  composed  of  (parts  of)  the  integral  curves  of  X  which  exit  S5 
through  S3  and  S4  respectively.  The  third  is  composed  of  (a  part  of)  the  single 
integral  curve  which  exits  through  the  point  S2-  Step  2  now  requires  that  we 
subdivide  the  transversal  strata  according  to  a  similar  rule,  but  now  curves  from 
S3  leave  through  three  different  regions  and  we  must  subdivide  this  stratum 
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further  (into  three  regions,  in  fact).  The  subdivision  point  corresponds  to  the 
first  point  of  intersection  of  S3  and  the  integral  curve  from  S2  run  backwards 
in  time.  This  now  causes  one  of  the  regions  in  S5  to  be  subdivided  further  and 
clearly  the  process  will  not  terminate. 

For  linear  vector  fields  on  the  plane,  the  existence  of  “spiral”  points,  such 
as  above,  is  the  only  obstruction  to  the  procedure  as  the  following  theorem 
illustrates. 

Theorem  5.  Let  M  =  M2,  X  be  the  linear  vector  field  Ax  and  assume  that  the 
eigenvalues  of  A  are  either  real  or  purely  imaginary.  Let  K  be  a  compact  set 
and  define  Sk  =  {5  E  S  :  S  fl  K  7^  0}  (which  is  therefore  finite).  Then  the 
Refinement  Process  applied  to  Sk  terminates. 

Proof.  We  will  carry  out  the  proof  in  more  generality  than  necessary.  See  the 
remark  below. 

If  A  —  0  then  the  process  terminates  with  Step  1,  since  for  each  2-dimensional 
S,  we  have  S  =  So-  If  A  ^  0,  then  the  zero  set  of  A  is  either  {(0,0)}  or  a 
line  through  the  origin.  We  will  deal  in  detail  with  the  first  case.  The  second 
case  can  be  analyzed  with  similar  methods.  We  will  assume  that  {(0,0)}  is  a 
stratum  of  S  ( S  can  be  made  compatible  with  {(0, 0)}).  This  implies  that  tan¬ 
gential  1-dimensional  strata  will  not  be  subdivided  further  since  such  a  stratum 
is  an  arc  of  a  single  trajectory  of  X.  Hence,  we  only  need  to  study  the  tangen¬ 
tial  2-dimensional  strata  and  the  transversal  1-dimensional  strata  (there  are  no 
transversal  2-dimensional  strata) . 

The  first  iteration  of  the  process  requires  a  special  analysis.  Let  R,  S  E  S,  S 
2-dimensional  and  R  1-dimensional,  transversal  and  contained  in  S.  Let  So  be 
as  in  Step  1  and  Rs0  as  in  Step  2.  The  following  lemma  characterizes  Rs0. 

Lemma  1.  There  is  a  finite  stratification  of  Rs0  by  subanalytic  subsets  o/ffi2. 

Proof.  Since  R  is  a  block  (see  Remark  2),  there  is  a  Cw  diffeomorphism  <j>  : 
(0,1)  — >  R  whose  graph  is  subanalytic  in  M  x  M2.  On  the  interval  (0,1)  the 
connected  sets  are  intervals  and  hence  subanalytic  in  M.  Therefore,  connected 
sets  in  R  are  subanalytic  and  their  boundary  (in  R)  consists  of  at  most  two 
points.  To  prove  the  lemma  we  show  that  Rs0  has  finitely  many  connected 
components. 

Suppose  to  the  contrary  that  Rs0  has  infinitely  many  connected  compo¬ 
nents.  Then  there  exists  two  infinite  sequences  {s,},  {f;}  in  the  interval  (0, 1) 
such  that,  for  all  i.  Si  <  f,-  <  s,-+i,  E  Rs0 ,  and  <f>(ti)  £  Rs0 ■  For  each  i, 

consider  the  curve  C,-  made  up  of  the  arcs  <^([sj,  Si+i]),  /}•  =  {7^(Si)(t)  :  t  >  0}, 
Fi'+i  =  :  t  >  0},  and  the  point  (0,0).  This  is  a  continuous,  closed, 

simple  curve  and  therefore  it  divides  the  plane  into  two  open  connected  sets. 
The  trajectory  j^t,)  enters  one  of  these  sets.  This  trajectory  does  not  intersect 
the  others  and  it  can  not  pass  through  (0,0).  Moreover,  it  can  not  leave  the 
region  through  R  since  all  trajectories  cross  R  in  the  same  direction.  Therefore, 
70(ti)(f)  must  remain  in  the  same  region  for  all  t  >  0.  On  the  other  hand,  by 
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construction  7^,.)  must  leave  S.  Let  t  be  the  first  t  such  that  7^(ti)(i)  $  S.  So, 
<7*  =  7 (?)  £  S\S.  The  set  5  U  R  U  {(0, 0)}  is  connected,  relatively  compact, 
subanalytic,  and  contains  each  C,-.  By  construction  each  qi  is  in  a  different  con¬ 
nected  component  of  S\S,  but  this  is  a  contradiction  since  S  \  S  has  a  finite 
number  of  connected  components.  Therefore,  so  does  Rs0  as  desired.  □ 

Since  the  sets  So  will  not  be  subdivided  in  subsequent  iterations  of  the  re¬ 
finement  process,  neither  will  the  sets  Rs0.  If  the  stratum  T  E  S,  T  C  S  is 
0-dimensional  (i.e.  T  is  a  singleton)  then  RsT  is  also  0-dimensional  (by  unique¬ 
ness  of  solutions) .  The  following  lemma  characterizes  the  sets  RsT  when  T  is  a 
1-dimensional  stratum. 

Lemma  2.  IfTES  is  1  -dimensional  then  R$T  is  open  in  R. 

Proof.  Let  q  E  Rsr-  The  trajectory  75  enters  St  and  leaves  S  through  T.  Let 
t\  be  the  smallest  value  of  t  such  that  7 g(t)  E  T.  Set  p  =  7,(fi).  Since  X  is 
transversal  to  R  and  T  we  can  find  relatively  open  (connected)  neighborhoods 
Nr  of  q  in  R,  NT  of  p  in  T,  and  6  >  0,  such  that  V  =  {7 y(t)  :  y  E  Nr,  |f|  <  £} 
and  W  =  {7y(f)  '■  y  E  Nr,\t\  <  6}  are  open,  V  n  W  =  0,  V  D  R  =  Nr, 
and  WOT  =  Nr-  Moreover,  we  can  choose  the  above  so  that  (7^(1)  :  y  E 
Nr,  Octctfj-cS’nV  and  (7y(f)  :  y  E  NT,  -5  <  t  <  0}  C  S  fl  W.  (These 
constructions  are  a  consequence  of  basic  theorems  on  differential  equations.) 
We  can  also  assume  that  the  only  strata  of  dimension  0  or  1  which  intersect 
S  U  V  U  W  are  R  and  T  (because  S  is  a  stratification) .  Notice  that  if  7  is  a 
trajectory  of  X  such  that  7(5)  E  W,  then  there  exists  s'  such  that  7(5')  EWC\T 
and  7 (t)  E  W  for  all  t  between  s  and  s'.  By  continuous  dependence  on  initial 
conditions,  for  all  e  >  0  there  exist  a  neighborhood  Nr  C  Nr  of  q  in  R  and 
0  <  6  <  6  such  that  |7,(f)  -  7y(i)|  <  e,  for  all  y  E  V  =  Nr  x  (-6,6)  and 
0  <t  <  1 1.  The  set  T  =  {75(f)  :  0  <  t  <  <1}  is  compact  and  contained  in  the 
open  set  Se  =  S  U  V  U  W.  Set  d  =  Ldist (q,  {jq(t)  :  6  <t  <  fj}).  We  choose 
e  >  0  so  that  e  <  d,  {r  :  dist(r,  T)  <  e}  C  Se,  and  the  ball,  B(p,e),  of  center  p 
and  radius  e,  is  contained  in  W.  Then  for  all  y  E  Nr,  7 y(t)  E  Se  for  0  <  t  <  ti 
and  7y(fi)  E  B(p,e).  We  assume  further,  that  Nr  C  B(q,e).  Let  ti  =  inf{f  > 

0  :  7 y{t)  E  W}  (so  t2  >  0  because  V  fl  W  =  0).  We  claim  that  if  y  E  Nr,  then 
7 y(f)  G  S  for  all  0  <  t  <  <2-  Suppose  to  the  contrary  that  there  exists  t  with 
0  <  t  <  t2  and  7 y(t)  £  S  U  W.  Let  t  =  inf{<_:  0  <  t  <  t2,jy(t)  <£  S  U  W}. 
Since  7 y(t)  E  S  for  0  <  t  <  6,  we  know  that  t  >  6  >  0.  On  the  other  hand, 
7 y(t)  G  V-  Therefore,  7 y(t)  E  S  DSe_  and  so  -fy(t)  E  RCi  V  =  Nr  C  B(q,  e).  But 
then  dist(79(t),  q)  <  dist(79(t),7 y(f))  +  dist(7y (?),  q)  <  2e,  which  contradicts 
the  choice  of  e.  Hence,  we  have  7 y(f)  E  S  for  y  E  Nr  and  0  <  t  <  t2.  By  the 
definition  of  t2  and  because  S  is  open  we  can  find  e  >  0  such  that  7 y(t)  E  S  for 
0  <  t  <  t2  +  e  and  7y  (^2  +  e)  G  W.  This  implies  that  must  exit  S  through  T, 
i.e.  y  E  RsT  ■  Therefore,  Nr  C  Rst  and  RsT  is  open  in  R.  □ 

We  continue  with  the  main  proof.  For  a  1-dimensional  stratum  T  we  can  write 
T  =  Ugj ^(Ji),  with  Ji  open  intervals.  For  each  endpoint  a,-  of  J,-,  x ,•  = 
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is  in  the  complement  of  RsT-  So,  either  {ar,-}  =  RsT .  for  some  O-dimensional 
stratum  Ti,  or  27  is  in  the  relative  boundary  of  Rs0  in  R.  In  either  case,  there 
are  only  finitely  many  such  points  .  It  follows  that  RsT  has  a  finite  number  of 
connected  components. 

We  have  shown  that  after  one  iteration  we  obtain  a  finite  number  of  singleton 
sets  (points)  and  1-dimensional  connected  subanalytic  sets  such  that 
all  the  new  subdivision  sets  are  unions  of  sets  in  Subsequent  iterations 

will  only  depend  on  sets  of  the  form  RsT  with  T  £  V ^  (not  on  Rs0 ).  In 

fact,  if  we  define  for  n  >  2,  as  the  collection  of  sets  RsT  with  T  £  •p(n_1), 
then  subsequent  subdivisions  depend  on  V ^  0  (that  is,  if  p(")  =  0  then  the 
Refinement  Process  terminates).  Such  sets  R$T  are  always  singletons  and  there 
is  always  a  finite  number  of  them.  Moreover,  by  its  definition,  for  each  point  p 
with  {p}  £  V W  there  is  a  unique  {?}  £  and  tp  <  0  such  that  p  =  7 q(t). 

Suppose  now  that  the  Refinement  Process  does  not  terminate.  Then  there  is 
a  trajectory  7  of  X  and  an  infinite  sequence  of  points  xn  with  {r„}  6  T>(n\  and 
xn  =  with  tn  — »  —00.  Since  we  are  only  subdividing  sets  in  Sk  the  sequence 
must  stay  in  a  compact  set.  We  may  assume  that  {xn}  converges  to  a  point  xo- 
Consider  first  the  case  when  the  eigenvalues  of  A  are  real.  Then  xo  =  (0,0). 
Moreover,  there  exists  a  one  dimensional  stratum  R  of  S  which  contains  infinitely 
many  xn’s  and  therefore  (0,0)  £  R.  Assume  that  R  is  diffeomorphic  to  the 
interval  (0, 1)  via  <f>  as  above,  with  lims_>.o  4>{s)  =  (0, 0).  By  Proposition  2  there 

exists  v  =  lim3_>o  777^77  •  A  direct  calculation  shows  that  the  following  limit  also 
llwC*  Jll 

exists:  w  =  limSn_+_00  ||7|*”||| .  We  must  have  v  —w,  otherwise  R  can  not 
intersect  7  for  |tn|  large  enough.  By  changing  coordinates  and  restricting  the 
study  to  a  neighborhood  of  (0,  0)  we  may  assume  that  {7 (t)  :  t  <  to]  and  R 
are  both  graphs  of  functions,  and  VtR  respectively,  with  domain  (0,1).  At 
two  consecutive  intersections  Si,  s?  of  these  graphs,  the  vector  X  must  point  to 
opposite  sides  of  the  graph  of  tpR.  By  continuity,  for  some  s,  S\  <  s  <  S2  the 
vector  X(iPr(s))  must  be  tangent  to  the  R.  This  contradicts  the  transversality  of 
R.  Therefore,  R  and  7  can  not  intersect  near  (0, 0)  and  the  Refinement  Process 
must  terminate.  In  case  A  has  purely  imaginary  eigenvalues,  xo  7^  (0,  0)  since  all 
trajectories  are  periodic.  Still  a  similar  argument  applies  using  v  as  above  and 
w  =  A(a:o).  This  concludes  the  proof  of  the  main  theorem.  □ 

Remark  4-  The  same  proof  extends  to  analytic  vector  fields  on  the  plane  with 
isolated  equilibria  and  with  the  property  that  bounded  trajectories  are  either 
periodic  or  have  “limit”  directions  (the  vector  w  in  the  proof).  The  existence  of 
those  limit  directions  was  the  only  part  in  the  proof  that  used  the  linearity  of  X 
in  an  essential  way. 

5  Conclusions 

We  presented  some  preliminary  results  on  obtaining  finite  bisimulations  of  ana¬ 
lytic  vector  fields.  An  algorithm  is  provided  and  termination  is  guaranteed  for  a 
class  of  linear  vector  fields. 
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Even  though  in  this  paper  continuous  dynamic  systems  were  considered, 
the  extensions  to  hybrid  systems,  even  though  harder,  are  conceptually  similar. 
Bisimulations  of  hybrid  systems  can  still  be  considered  in  the  framework  of 
subanalytic  stratifications  by  allowing  multiple  vector  fields  as  well  as  reset  maps. 
However,  the  reset  maps  must  be  in  some  sense  compatible  with  the  flows  for 
the  procedure  to  terminate.  This  requirement  is  already  necessary  when  dealing 
with  a  timed  automata  where  the  clocks  run  with  irrational  slopes. 

It  should  be  noted  that  the  main  results  of  this  paper  are  existential  since 
they  prove  the  existence  of  finite  bisimulations.  However,  there  is  a  long  way 
to  making  this  procedure  computationally  effective.  For  certain  classes  of  vector 
fields  the  construction  can  be  made  effective.  For  example,  one  could  generalize 
the  decidability  result  in  [8]  for  multi-polynomial  vector  fields  on  the  plane,  by 
effectively  constructing  a  finite  bisimulation  using  techniques  similar  to  the  ones 
in  this  paper  (allowing  for  semialgebraic  sets  instead  of  just  polyhedra). 

Furthermore,  if  the  bisimulation  algorithm  does  not  terminate  (or  is  not  com¬ 
putable),  it  maybe  useful  to  consider  system  overapproximations,  or  abstractions 
[14],  for  which  the  algorithm  would  terminate  (or  can  be  computed). 
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Abstract.  In  this  article  we  present  a  new  approach  for  the  design  of  hy¬ 
brid  systems  composed  of  discrete  and  continuous  parts.  In  our  approach 
the  system  designers  can  start  their  specifications  with  the  discrete  as 
well  as  with  the  continuous  parts.  Both  paradigms  can  be  used  with 
there  own  methodology  and  Tools.  There  are  integration  mechanisms  for 
both  paradigms.  For  the  integrated  simulation  C  code  is  generated.  The 
advantages  of  our  approach  are  demonstrated  by  modeling  all  important 
aspects  of  a  system  for  building  up  motorcades.  The  model  includes  a 
discrete  part  selecting  one  of  the  different  strategies  modeled  in  the  con¬ 
tinuous  parts.  These  are  strategies  for  velocity  and  distance  control  for 
vehicles. 


1  Introduction 

The  increasing  complexity  of  hybrid  systems  leads  to  the  necessity  of  improved 
design  methodologies.  Hybrid  Systems  in  our  context  are  mechatronic  systems 
with  discrete  and  continuous  parts.  An  important  task  in  hybrid  system  modeling 
is  to  guarantee  a  correct  and  well  working  interaction  of  all  different  system  parts. 
This  can  be  achieved  by  a  common  design  process  for  the  whole  system  in  which 
every  engineer  can  use  his  well  known  design  method  for  discrete  or  continuous 
parts.  The  result  is  a  model  of  the  whole  system  in  which  the  different  parts  can 
be  simulated  and  analyzed  together. 

There  are  a  lot  of  tools  for  the  modeling  of  the  different  parts.  For  continu¬ 
ous  systems  there  are  Adams,  Dymola  [EB096],  alaska  [Mai93a]  and  Dads  for 
multi-body  systems  and  for  control  systems  Matlab  [Mai93b]  and  MATRIXx 
[Int97].  For  electrical  engineering  SABER  from  Analogy  Inc.  in  Oregon  is  one  of 
the  important  tools  there.  The  specification  tools  for  the  discrete  parts  are  state 
oriented.  Important  tools  are  STATEMATE  [i-L97]  for  StateCharts,  DesignCPN 
[K.97]  for  colored  petri  nets,  Skate  for  Lustre  [HCRP91].  Some  of  these  tools, 
like  SABER  or  Dymola,  try  to  include  the  whole  range  of  technical  disciplines 
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(mechanics,  hydraulics,  electronic,...)  within  the  formalism  of  hybrid  systems. 
In  the  area  of  computer  science  some  approaches  exist  where  continuous  system 
parts  can  be  integrated  into  the  discrete  modeling  languages.  In  [PL95,WS95] 
petri  net  models  are  extended  for  the  integration  of  the  continuous  parts.  In 
[GW96]  a  graph  based  formal  model  is  used  for  hybrid  systems.  Based  on  this 
formalism  a  tool  KANDIS  [OGW95]  exists  for  the  construction  of  mixed  ana¬ 
log/digital  hardware  systems.  The  formal  model  allows  a  common  graph  based 
modeling  of  differential  equations  systems  together  with  discrete  time  or  discrete 
event  systems.  Every  node  in  the  graph  has  his  own  ’’firing  rule”.  This  ’’firing 
rule”  may  either  be  one  for  discrete  event  time  systems,  one  for  discrete  event 
systems  and  one  for  continuous  time  systems. 

Another  very  interesting  approach  for  modeling  of  hybrid  systems  is  the 
SHIFT  [DGS97]  language  that  has  been  developed  within  the  California  PATH 
project.  SHIFT  is  a  programming  language  for  describing  dynamic  networks  of 
hybrid  automata. 

In  all  these  approaches  the  designers  of  one  or  even  both  domains  have  to 
specify  their  parts  with  tools  and  in  a  modeling  paradigm  not  well  known.  The 
problem  by  this  approaches  is  to  find  an  adequate  description  and  representation 
for  every  discipline  that  is  practicable  for  the  engineer. 

In  our  approach  we  describe  continuous  parts  by  a  system  of  coupled  differen¬ 
tial  and  algebraic  equations  that  can  be  formulated  in  three  special  description 
languages  DSC,  O-DSL  and  O-DSS.  O-DSS  is  used  for  the  topological  level, 
O-DSL  for  the  dynamic  nonlinear  parts.  Descriptions  in  O-DSS  and  O-DSL 
are  translated  into  DSC  as  base  for  a  process  oriented  simulator.  The  discrete 
parts  are  described  in  extended  Predicate/Transition-Nets  (Pr/T-Nets).  They 
are  a  form  of  high-level  petri  nets  with  advanced  capabilities  of  transitions  and 
tokens.  Transitions  can  carry  first  order  formulas  which  have  to  calculated  by 
firing  transitions.  There  exist  a  modeling  environment  SEA1  (System  Engineer¬ 
ing  and  Animation)  developed  at  C-Lab  which  offers  full  support  for  designing 
and  animation  with  Pr/T-Nets.  Both  design  methodologies  are  extended  for  the 
integration  of  models  specified  in  other  modeling  paradigms.  One  can  start  with 
the  continuous  parts  as  well  with  discrete  parts.  The  other  system  parts  can  be 
integrated  in  both  environments.  So,  the  designer  in  every  field  of  application 
can  use  his  own  well  known  modeling  paradigm  and  has  to  add  the  other  part, 
designed  by  another  engineer,  later.  The  integrated  simulation  of  the  different 
model  parts  is  realized  by  generating  C  code  from  both  modeling  environments. 

In  the  following  sections  we  will  give  a  brief  introduction  in  our  approaches 
of  modeling  discrete  and  continuous  parts  with  integration  techniques  of  the 
particular  other  part.  After  that  we  will  give  a  specification  example  by  modeling 
motorcades  in  which  continuous  as  well  as  discrete  parts  have  to  be  modeled. 


1  prototype  available  at  http://www.c-lab.de/sea/ 
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2  Domain  specific  Methods 

2.1  Continuous  Modeling 

For  the  last  20  years  MLaP  has  been  working  on  software  systems  to  support 
the  design  of  mechatronic  systems.  These  systems  consist  of  components  from 
mechanics,  hydraulics,  electrical  engineering,  electronics  and  information  pro¬ 
cessing.  In  the  shape  of  CAMeL  (Computer-Aided  Mechatronics  Laboratory) 
[Ric96]  a  collection  of  different  programs  has  evolved  at  MLaP  that  support 
the  integrative  system  design  from  modeling  to  analysis  and  synthesis  to  re¬ 
alization.  At  the  basis  of  all  components  is  the  representation  of  the  system 
in  the  computer  by  means  of  appropriate  description  elements.  For  this  pur¬ 
pose  three  description  languages  were  defined  to  be  employed  on  different  levels 
of  the  design  process.  To  describe  the  system  on  the  topological  level  there  is 
O-DSS  (Objective  Dynamic  System  Structure).  The  dynamic,  nonlinear  (and 
linear)  continuous  systems  are  described  by  a  system  of  coupled  differential  and 
algebraic  equations  that  can  be  formulated  in  the  O-DSL  (Objective  Dynamic 
System  Language)  description  language. 


StateSpaceOdss  named:  motorType. 
parameter:  #(Km)  on:  ScalarOdss; 

#(Jm)  on:  ScalarOdss; 
input:  #(alpha)  on:  ScalarOdss; 

#(getriebeMoment)  on:  ScalarOdss; 
output:  #(phiMotorP)  on:  ScalarOdss; 

#(phiMotor)  on:  ScalarOdss; 

state:  #(phiP)  on:  ScalarOdss; 

#(phi)  on:  ScalarOdss; 
auxiliar:  #(deltaMoment)  on:  ScalarOdss; 

auxiliarEquation : 

deltaMoment  :=  ((Km  *  alpha)  -  getriebeMoment)  *  (1  /  Jm); 

stateEquation: 
phiP’  :=  deltaMoment; 
phi’  :=  phiP; 

outputEquation: 
phiMotorP  :=  phiP; 
phiMotor  :=  phi; 
end. 


Fig.  1.  Listing  of  the  motor  type 


Fig.  1  displays  the  O-DSL  description  of  the  dynamic  behavior  of  a  simple 
engine.  The  first  line  defines  the  system  motorType  from  the  class  of  the  contin¬ 
uous  systems  StateSpaceOdss.  The  system  interface  is  defined  by  the  keywords 
parameter,  input,  and  output.  In  our  case  we  have  the  parameters  Km  and 
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Jm,  the  inputs  alpha  and  getriebeMoment  and  the  outputs  phiMotorP  and  phi- 
Motor.  The  dynamic  equations  are  given  in  the  body  of  the  system.  The  behavior 
of  the  engine  is  represented  by  a  linear  differential  equation  of  2nd  order  that  is 
converted  in  state-space  into  a  system  of  two  differential  equations  of  1st  order 
with  the  following  states:  the  revolution  phiP  and  the  angle  phi  of  the  motor 
shaft  following  the  keyword  state.  After  that,  we  formulate  an  auxiliar  equation 
for  the  calculation  of  the  difference  torque  ( deltaMoment )  between  the  torque 
of  the  motor  shaft  and  that  of  the  gear  shaft  (auxiliarEquations).  The  dif¬ 
ferential  equations  are  described  in  the  stateEquations.  The  derivation  of  a 
state  is  expressed  by  a  prime  mark  ( phiP ’) .  Eventually  the  output  equations  are 
formulated. 

For  computer  processing  the  models  are  represented  in  the  process-oriented 
description  language  DSC  (Dynamic  System  Code)  [HMN96,Hom97].  The  com¬ 
pilation  of  the  model  from  O-DSS  to  O-DSL  to  DSC  and  the  resulting  com¬ 
plex  transformations  (MBS  formalisms)  are  effected  by  corresponding  compilers 
[HMN96].  For  input  purposes,  a  convenient  graphical  block  editor  is  available 
that  allows  formulation  and  management  of  the  components  on  the  O-DSS  and 
O-DSL  levels. 

As  the  systems  are  becoming  ever  more  complex,  it  is  indispensable  to  formu¬ 
late  hybrid  systems;  they  are  systems  that  may  comprise  continuous  and  discrete 
system  parts.  The  continuous  parts  describe  the  system  dynamics  while  the  dis¬ 
crete  ones  define  logical  switches  that  can  trigger  and  manage  events.  Up  to  the 
present,  the  simulation  of  complex  hybrid  systems  has  been  the  only  possibility 
of  analysis  and  synthesis;  therefore  the  research  on  novel  methods  and  proce¬ 
dures  is  highly  topical  [Lyg96,Kow97,Eng97].  Connection  of  the  discrete  systems 
to  the  CAMeL  tools  available  at  MLaP  can  be  effected  on  three  different  levels: 

1.  extension  of  the  O-DSL  language  by  elements  of  discrete  components; 

2.  description  of  every  discrete  component  in  C  code  blocks  with  input/output 

behavior  (SEA-Environment)  that,  along  with  the  continuous  parts,  can  be 

linked  to  form  a  simulator; 

3.  description  of  the  discrete  components  by  means  of  a  particular  tool  and 

coupling  on  the  simulator  level. 

The  degree  of  the  coupling  between  the  discrete  and  the  continuous  system 
parts  decreases  from  top  to  bottom  level.  On  the  first  level  the  system  is  speci¬ 
fied  in  just  one  language  that  gives  the  engineer  easy  access  to  the  formulation 
of  hybrid  systems;  yet,  one  has  to  limit  work  to  only  particular  groups  of  dis¬ 
crete  systems  (e.g.,  automata)  in  order  to  guarantee  a  rather  clear  language  with 
just  a  few  description  elements.  Subsequent  further  processing  requires  a  rather 
costly  extension  of  the  languages  and  tools  underneath  by  the  discrete  compo¬ 
nents  (DSC,  Simulator).  The  procedure  described  on  the  second  level  does  not 
necessitate  novel  description  elements;  however,  it  brings  about  restrictions  as  to 
the  usability  of  discrete  components.  In  order  to  couple  the  discrete  blocks  to  the 
continuous  ones,  the  former  have  to  have  input/output  behavior;  they  must  also 
be  able  to  read  the  continuous  values  and  to  generate  continuous  outputs.  For 
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this  purpose  the  interfaces  to  the  components  have  to  be  defined  unequivocally. 
The  simplest  kind  of  handling  hybrid  systems  is  the  coupling  on  the  simulator 
level  that  will  only  require  synchronization  and  data  exchange  (e.g.,  by  means 
of  sockets,  DDE,  file)  of  the  values  (continuous  and  discrete  ones)  computed 
independently  of  one  another. 


O-DSL 


DSC 


C-Code 


continuous  system  and 

couplings 

- 

external  functions 
for  discrete  systems 


simulation  code 


Fig.  2.  Integration  of  discrete  system 


At  the  moment  MLaP  is  working  on  the  coupling  of  discrete  systems  to 
continuous  ones  by  way  of  a  combination  of  levels  1  and  2.  For  the  set  of  finite 
automata  description  elements  will  be  defined  (automata,  events,  and  messages) 
that  will  serve  to  generate  interface  frames  on  the  DSC  level  that  allow  coupling 
to  the  continuous  system. 

In  order  to  evaluate  the  discrete  system  parts  C  code  will  be  generated  and 
coupled  with  the  simulation  frame  (Fig.  2).  With  this  extension  it  is  possible  to 
formulate  many  kind  of  hybrid  systems  (from  the  view  of  an  engineer) ,  but  it  is 
not  useful  for  the  description  of  parallel  and  non-deterministic  systems.  A  suit¬ 
able  method  for  these  kind  of  systems  are  the  Pr/T-Nets,  that  can  be  described 
with  the  SEA-Environment.  From  SEA  a  O-DSL  frame  can  be  generated  that  is 
represented  as  a  block  in  the  CAMeL  environment,  so  the  discrete  components 
and  the  continuous  components  can  be  connected  graphically.  On  simulation 


226 


level  the  integration  of  the  Pr/T-Nets  is  done  by  linking  generated  C  Code  for 
discrete  and  continuous  components. 

2.2  Discrete  Modeling 

The  SEA  (System  Engineering  and  Animation)-Environment  [KTT97,KKT96] 
developed  at  C-LAB  offers  full  support  for  the  modeling  and  design  of  the  dis¬ 
crete  parts  of  a  hybrid  system  in  a  modular  and  distributed  manner.  It  offers  a 
graphical  abstraction  mechanisms  for  alternative  views  of  one  model  and  sup¬ 
ports  the  integration  of  modules  specified  with  other  modeling  paradigms  includ¬ 
ing  continuous  ones.  The  SEA-Environment  is  based  on  a  formal  model  with  a 
local  paradigm  that  allows  an  unambiguous  modular  specification,  namely  ex¬ 
tended  Predicate/Transition-Nets  (Pr/T-Nets).  They  are  a  form  of  high  level 
petri  nets  but  they  support  a  more  compact  specification  of  complex  systems 
than  pure  petri  nets. 

Pr/T-Nets  [GL81]  are  bipartite  graphs  consisting  of  places  and  transitions 
connected  with  directed  arcs  called  edges.  The  places  may  contain  tokens  that 
are  consumed  and  produced  by  transition.  The  edges  define  the  ’’flow”  of  the 
tokens.  An  edge  from  a  place  to  a  transition  means  the  transition  consumes 
tokens  from  the  place  and  an  edge  from  a  transition  to  a  place  means  that  the 
transition  produces  tokens  on  the  place.  The  tokens  of  a  Pr/T-Net  are  tuples 
of  constants  over  a  set  of  data  types.  To  further  specify  the  flow  in  Pr/T-Nets 
edges  may  be  annotated  by  sums  of  constant  or  variable  tuples  and  transitions 
may  carry  first  order  formulas  over  a  set  of  constants  and  variables  and  a  firing 
rule  used  to  calculate  variables  occurring  on  output  edges  of  a  transition. 


Fig.  3.  Pr/T-Net  example 


Fig.  3  shows  a  Pr/T-Net  consisting  of  three  places  (P1,P2,P3)  and  one  tran¬ 
sition  (Tl).  The  tokens  are  integers  and  the  firing  rule  of  T1  adds  the  inputs 
x  and  y  and  stores  the  result  in  z.  The  left  side  of  Fig.  3  shows  the  net  before 
firing  of  Tl  and  the  right  side  afterwards. 

We  extended  the  basic  definition  of  Pr/T-Nets  in  order  to  support  the  inte¬ 
gration  of  models  specified  in  other  modeling  paradigms. 

We  defined  a  timing  concept  to  allow  the  modeling  of  time  dependent  system 
parts.  This  concepts  allows  the  definition  of  enabling  and  firing  delays  for  tran¬ 
sitions.  The  enabling  delay  determines  the  time  delay  before  a  transition  may 
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become  active  after  it  has  been  enabled  for  any  substitution  and  the  firing  delay 
specifies  how  long  a  transition  is  active.  If  a  transition  is  active,  the  tokens  from 
the  input  places  are  removed  but  the  tokens  for  the  output  places  are  not  yet 
produced. 

Furthermore,  we  allow  hierarchical  specifications  to  support  a  modular  spec¬ 
ification  of  complex  systems.  Places  or  transitions  of  an  extended  Pr/T-Net  may 
be  refined  by  subnets.  Such  hierarchical  nodes  have  a  special  semantics  which 
is  defined  via  the  activity  of  their  subnet.  A  subnet  of  a  structured  transition  is 
active  as  long  as  the  structured  transition  itself  is  active  which  is  similar  to  the 
philosophy  of  structured  nets  as  described  in  [CK81].  The  subnet  of  a  structured 
place  is  active  as  long  as  the  structured  place  contains  at  least  one  token  which 
is  similar  to  the  hierarchical  concept  in  statecharts  [Har78]. 

For  an  easy  integration  of  textual  specification  languages  we  allow  code  of 
programming  languages  within  the  firing  rule  of  transitions.  In  our  current  im¬ 
plementation  this  can  be  C/C++  code. 

For  the  integration  of  graphical  specification  languages  the  SEA-Environ- 
ment  allows  the  definition  of  an  abstract  graphical  representation  for  a  subnet 
used  to  refine  a  hierarchical  node.  This  representation  is  also  capable  to  “con¬ 
tinuously”  represent  the  system’s  behavior  and  state  changes  during  simulation. 
The  description  of  the  abstract  representation  may  use  arbitrary  graphical  el¬ 
ements.  Hence,  existing  graphical  specification  languages  can  be  (re)produced 
by  using  their  predefined  symbols  as  the  abstract  representation  of  the  Pr/T  - 
subnets.  All  these  extensions  are  explained  in  more  detail  in  [KKT96]. 

After  the  specification  of  a  system  part  as  an  extended  Pr/T-Net  we  are  able 
to  validate  the  specification.  With  the  built  in  Pr/T-Net  simulator  and  -animator 
the  specification  can  be  executed  and  tested.  The  readability  of  the  simulation 
is  supported  by  the  animator  which  shows  the  abstract  graphic  representation 
of  the  underlying  Pr/T-Net  models. 

If  the  model  satisfies  the  expectations  of  the  designer  C  or  C++  code  can 
be  generated  from  the  model.  On  the  one  hand  the  C++  code  can  be  linked 
together  to  conceive  a  prototype  realization  of  the  system.  But  on  the  other 
hand  C  code  including  special  statements  for  the  integration  into  the  CAMeL 
tools  for  the  specification  of  the  continuous  system  parts  can  be  generated. 

For  the  integration  of  continuous  system  parts  into  the  SEA-Environment 
several  possibilities  exist.  One  is  the  integration  of  C  code  generated  from  the 
CAMeL  tools  for  a  continuous  model  part  as  annotation  of  a  transition.  In 
this  case  every  time  the  transition  fires  one  simulation/execution  step  within 
the  continuous  model  is  performed.  The  variables  at  the  input  edges  of  the 
transitions  can  be  used  as  input  for  the  continuous  model  and  the  output  can 
be  imported  via  the  variables  of  the  output  edges  into  the  Pr/T-Net.  Section  3.2 
contains  an  example  for  this  integration  method. 

A  second  way  is  the  direct  transformation  of  differential  equations  into  Pr/T- 
Nets  as  described  in  [Bri95].  In  this  case  the  differential  equations  have  to  be 
discretized. 
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Another  possibility  is  the  use  of  predefined  library  elements  for  example 
from  a  block  diagram  library  for  differential  equations  to  rebuild  the  specified 
continuous  system  parts.  Fig.  4  shows  as  an  example  the  specification  of  a  drive 
train  modeled  with  such  a  library  cf.  Section  3.1).  Fig.  5  shows  the  realization 


Fig.  4.  Linearized  Model  of  drive  train  build  from  block  diagram  library  elements 


of  some  of  the  library  elements  with  their  abstract  graphical  representation  and 
the  Pr/T-Net  specifying  its  behavior. 


y  =  x*c  delay  =  D  z  =  x-y  delay  =1 

multiply  integrate  connect  sum  interface 


Fig.  5.  Collection  of  library  elements 
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In  case  of  the  library  construction  and  the  direct  transformation  the  con¬ 
tinuous  models  have  to  be  discretized  for  realizing  them  as  a  Pr/T-Net  model. 
This  means  that  the  decision  for  the  final  implementation  technique  was  already 
done.  With  the  first  integration  method  several  implementation  techniques  for 
the  continuous  model  are  possible. 

After  integrating  the  continuous  model  parts  they  must  be  connected  to  the 
discrete  parts.  Therefor  elements  from  an  interface  library  are  used.  The  right¬ 
most  element  in  Fig.  5  is  such  an  element  from  this  library  used  for  converting 
a  discrete  value  into  a  continuous  one.  The  token  on  the  place  in  the  middle  is 
copied  within  every  time  step  to  the  right  place.  The  value  of  the  token  on  the 
middle  place  is  changed  by  adding  a  token  with  the  new  value  on  the  left  place. 

3  Specification  for  Motorcades 

In  this  section  a  part  of  a  mechatronic  system  serving  as  an  application  example 
for  our  approach  is  described.  The  model  is  depicted  in  Fig.  6.  It  is  used  for 
controlling  the  velocity  of  a  car  that  shall  drive  in  a  motorcade.  Inputs  for  the 
model  are  the  position  of  a  car  driving  in  front  of  the  considered  car  ( sJeading ), 
the  desired  distance  between  two  cars  driving  in  a  motorcade  (ds.ref)  and  the 
desired  velocity  of  the  car  (u_re/).  Outputs  are  the  velocity  (v-real)  and  the 
position  (s_reaZ)  of  the  car.  The  latter  is  needed  by  other  cars  for  controlling 
their  velocity. 


Fig.  6.  System  with  discrete,  continuous  and  interface  parts 


The  whole  model  mainly  consists  of  three  parts.  The  block  ’  Continuous  Sys¬ 
tem  Parts’  is  needed  for  computing  the  position  and  the  velocity  of  the  car, 
whereas  the  block  ’Discrete  System  Parts’  decides  whether  the  car  shall  drive 
with  the  reference  velocity  or  make  up  a  motorcade  with  the  car  driving  in  front 
of  itself.  The  continuous  block  contains  units  for  both  controlling  the  velocity 
dependent  on  the  reference  velocity  as  well  as  controlling  the  velocity  dependent 
on  the  position  of  a  leading  car.  At  each  time  one  of  these  models  has  to  be 
used  according  to  the  decision  of  the  discrete  system.  A  third  block  is  needed 
for  interfacing  the  continuous  and  discrete  model  parts. 
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As  can  be  seen  in  the  figure  several  interactions  between  the  different  sys¬ 
tem  parts  are  necessary.  On  the  one  hand  the  decision  made  within  the  discrete 
system  parts  depends  on  the  position  of  the  car  computed  within  the  continu¬ 
ous  system  parts.  On  the  other  hand  the  continuous  computations  are  in  turn 
influenced  by  the  event  flag  triggered  asynchronously  within  the  discrete  system 
parts.  To  summarize  all  system  parts  -  continuous  and  discrete  ones  -  have  to 
deal  with  continuous  signals  as  well  as  with  events  triggered  asynchronously. 

In  the  following  we  describe  how  the  example  was  modeled  following  our 
approach  to  use  dedicated  tools  for  modeling  the  discrete  and  continuous  parts, 
whereby  each  tool  supports  the  modeling  of  interface  elements  to  the  particular 
other  part,  the  generation  of  code  for  the  other  tool  and  the  integration  of  code 
generated  by  the  other  tool. 


3.1  Continuous  Parts 

With  regard  to  making  up  motorcades,  we  consider  the  longitudinal  vehicle  be¬ 
havior.  The  real  vehicle  comprises  drive  and  brake  trains.  The  braking  pedal  acts 
on  the  master  cylinder  transmitting  the  force  to  the  wheel  brake  cylinder.  This 
leads  to  the  brakes  being  actuated.  In  driving  mode,  the  use  of  the  accelerator 
alters  the  throttle  valve  position.  The  engine  torque  depends  mainly  on  the  ac¬ 
tual  engine- rotation  speed  and  the  position  of  the  accelerator  pedal.  This  engine 
torque  is  being  transmitted  to  the  driving  wheels  via  the  clutch,  the  gear-box, 
the  cardan  shaft,  and  the  differential.  It  is  transmitted  to  the  tyre  and  will  have 
an  accelerating  effect  on  the  car  body. 


Engine  Inertia  Wheel  Inertia  Linear  Slip  Vehicle  Mass 

Model 

Fig.  7.  Linearized  model  of  the  drive  train 


In  order  to  model  this  complex  dynamic  behavior  of  the  vehicle,  we  can  make 
some  simplifications  and  linearize  the  model  [SR96].  An  integration  of  the  indi¬ 
vidual  masses  allows  reduction  to  three  masses  for  the  drive  train  to  be  described. 
One  mass  represents  the  engine  inertia  added  to  the  inertias  of  the  clutch  and 
of  the  gear  (engine  inertia).  The  second  mass  (wheel  inertia)  represents  the  iner¬ 
tias  of  the  gear,  shaft,  and  differential  all  related  to  the  differential  ratio  and  the 
inertias  of  the  differential,  axis,  and  tyre.  The  third  mass  represents  the  vehicle 
body.  Fig.  7  displays  this  simplified  substitute  model  including  a  linearized  tyre 
model. 

In  the  following,  we  will  deal  with  the  control  concepts  for  longitudinal  vehicle 
dynamics  in  order  to  obtain  a  certain  velocity  as  well  as  a  specified  distance 
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Fig.  8.  Structure  of  distance  control 
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Fig.  9.  Structure  of  velocity  control 


between  two  vehicles.  Due  to  the  complexity  of  this  hybrid  system,  we  focus  on 
single-input /single-output  controllers  in  order  to  demonstrate  the  switch  from 
velocity  control  to  distance  control.  Fig.  8  and  Fig.  9  display  the  structures  of 
the  control  strategies.  In  Fig.  8  the  input  to  the  drive  train  is  the  throttle  angle 
a,  the  output  is  the  distance  covered  by  the  car  body  s.  The  distance  covered  by 
the  leading  vehicle  acts  as  an  excitation  signal  along  with  the  reference  distance 
dsref  ■  A  camera  placed  in  front  of  the  vehicle  following  up  measures  the  real 
distance  dsreai.  Fig.  9  sketches  the  real  velocity  vTeai  controller  with  the  reference 
velocity  vrej,  the  controller,  the  plant  and  the  feedback  loop. 

The  conditions  for  a  switch  from  velocity  control  to  distance  control,  when 
the  vehicle  detects  another  one  running  in  front,  are  specified  in  the  discrete 
components  described  in  the  next  section.  Since  we  use  linearized  drive  train 
models,  the  switch  can  be  done  without  triggering  a  fading  process.  For  imple¬ 
mentation,  it  is  important  to  mention  that  the  inputs  and  states  of  the  plant 
such  as  the  throttle  angle  a,  velocities,  angles  and  rotation  rates  of  the  drive 
train  model  must  be  ’’frozen”  right  before  the  switch.  After  the  switch,  these 
values  serve  as  the  initial  conditions  for  the  system  with  the  changed  controller 
structure. 

Fig.  10  shows  the  interaction  between  the  discrete  and  the  continuous  compo¬ 
nents.  The  interior  of  the  discrete  component  is  provided  by  the  SEA-Environ- 
ment  (cf.  Section  3.2).  The  interface  block  receives  the  input  values  sJeading, 
ds.ref  and  v.ref  and  transmits  either  the  distance  controller  input  Ads  or  the 
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Fig.  10.  Block  diagram  of  the  hybrid  system 


velocity  controller  input  Av  in  dependency  of  the  flag  value  from  the  discrete 
block. 


In  this  section  we  will  describe  the  Pr/T  Net  models  for  the  blocks  ’ Discrete 
System  Parts'  and  ’Interface’  of  Fig.  6.  Afterwards  the  integration  of  C  code  for 
the  continuous  model  parts  generated  by  the  CAMeL  tools  (cf.  Section  2.1  and 
3.1)  will  be  explained. 


Discrete  System  Parts 
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Fig.  11.  Pr/T-Net  model  for  the  discrete  system  parts 
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Fig.  11  shows  the  Pr/T  Net  for  the  block  ’ Discrete  System  Parts’.  The  inputs 
of  this  subsystem  ( s.real ,  sJeading  and  dsjref)  are  continuous  values.  The  net 
triggers  an  event  (flag)  when  a  switch  between  velocity  control  and  distance 
control  is  necessary  within  the  continuous  system  parts.  A  value  indicating  the 
mode  for  computation  (’dc’  or  ’vc’)  is  attached  to  the  event.  Checking  whether 
a  switch  of  the  mode  is  necessary  takes  place  whenever  the  change  of  the  own 
position  ( s.real )  exceeds  a  certain  amount  ( deltas ).  This  is  detected  by  transition 
T2.  If  the  input  value  differs  less  than  delta,  from  the  last  considered  value 
(s.ref  stored  in  place  P4),  it  is  consumed  by  transition  T±.  In  order  to  invoke  the 
computation  of  flag  transition  T2  produces  a  token  on  place  P7.  The  transition 
T5,  that  becomes  enabled  due  to  this  token,  reads  the  actual  position  of  a  leading 
vehicle  and  the  actual  reference  distance  from  the  places  P5  and  Pq.  These  values 
are  updated  by  the  transitions  T3  and  T4  continuously.  Transition  T5  reads  the 
actual  mode  of  computation  from  the  place  Pg  and  computes  the  difference 
ds  between  the  actual  distance  ( ds.real )  and  the  reference  distance  (dsjref). 
According  to  these  values  one  of  the  transitions  T5 ,  Ts  and  T7  fires  changing  the 
mode  to  a  new  value  if  necessary.  In  order  to  avoid  a  permanent  switch  of  the 
mode  a  change  from  velocity  control  to  distance  control  is  not  done  until  the 
distance  of  the  vehicle  falls  below  a  value  smaller  than  the  reference  distance 
(dsjref  —  deltas)  and  in  turn  a  change  from  distance  control  to  velocity  control 
is  not  done  until  the  real  distance  exceeds  (dsjref  +  deltas)  ■ 


Fig.  12.  Pr/T-Net  model  for  the  interface  parts 


The  model  depicted  in  Fig.  12  realizes  the  interface  between  the  discrete  sys¬ 
tem  parts  and  the  continuous  ones.  It  is  responsible  for  a  continuous  production 
of  the  values  Ads  and  Av  needed  by  the  continuous  system  parts.  The  values 
depend  on  the  continuous  values  s.real,  sJeading,  ds.ref  and  v.ref  as  well  as  on 
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the  value  flag  which  is  determined  asynchronously  by  the  discrete  system  parts. 
The  transformation  of  the  event  flag  into  a  continuous  signal  is  done  by  an  ele¬ 
ment  of  the  library  depicted  in  Fig.  5.  Furthermore  the  library  elements  connect 
and  sum  are  used  for  the  computation  of  the  output  values.  The  continuous  pro¬ 
duction  of  the  output  values  is  done  by  the  transitions  T\  and  Ti> .  The  value  for 
the  controller,  that  is  not  active,  is  set  to  0. 
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Fig.  13.  Pr/T-Net  model  for  the  continuous  system  parts 


In  order  to  integrate  the  continuous  model  parts  into  the  SEA-Environment 
the  Pr/T-Net  depicted  in  Fig.  13  was  specified.  The  models  distance  controller, 
velocity  controller  and  linearized  drive  train  are  provided  as  C  code  generated  by 
the  CAMeL  tools.  The  transitions  Ti,  T2  and  T3  are  annotated  with  functions 
evaluating  the  C  code  for  the  corresponding  continuous  models.  Since  these 
transitions  are  enabled  within  every  simulation  step  the  models  of  the  controllers 
and  the  drive  train  are  evaluated  continuously. 


4  Summary 

The  presented  approach  of  an  integrated  modeling  environment  of  hybrid  sys¬ 
tems  leaves  it  up  to  the  designer  which  part  he  would  like  to  design  first.  For  the 
discrete  parts  he  can  use  the  SEA  modeling  environment  for  specification  with 
Pr/T-Nets.  Special  interfaces  are  available  to  integrate  continuous  parts  of  the 
system.  These  parts  can  be  specified  with  the  CAMeL  tools.  In  this  environment 
one  can  also  integrate  discrete  parts  via  interfaces  to  the  Pr/T-Net  tools.  In  both 
environments  different  possibilities  exist  for  the  integration  of  parts  specified  in 
the  other  modeling  paradigm.  The  one  used  for  the  presented  example  is  the  in¬ 
tegration  of  C  code  generated  by  the  other  environment.  In  this  case  no  further 
investigations  are  necessary  for  the  integration  of  the  other  model  parts.  So  this 
integration  method  provides  the  easiest  way  for  checking  the  correctness  of  the 
discrete  parts  working  together  with  continuous  parts  and  vice  versa.  The  non 
trivial  example  of  building  up  a  motorcade  shows  the  usefulness  of  this  approach. 


As  an  advantage  of  our  approach  every  designer  can  model  in  his  well  known 

modeling  paradigm  and  can  simulate  the  whole  system  with  all  its  different  parts. 
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Hierarchical  Hybrid  Systems:  Partition 
Deformations  and  Applications  to  the 
Acrobot  System.  * 

Ekaterina  S.  Lemch  t  Peter  E.  Caines 


Abstract 

In  [3], [5]  the  notion  of  dynamical  consistency  was  formulated  for  hybrid  systems  so 
as  to  define  the  set  of  dynamically  consistent  hybrid  partition  machines  e  IJ,  as¬ 

sociated  with  a  given  continuous  system  S.  This  theory  includes  the  notions  of  a  hybrid 
between-block  (HBBC)  and  in-block  controllable  (HIBC)  partition  machine,  the  lattice 
HIBC(S)  of  (HIBC)  partition  machines,  and  that  of  the  associated  hierarchical-hybrid 
feedback  control  systems.  In  this  paper,  a  brief  summary  of  this  theory  is  presented, 
and  the  robustness  properties  of  a  partition  machine  Mn  with  respect  to  deformations 
of  the  boundaries  of  the  blocks  of  tt  is  outlined.  An  application  to  the  hybrid  control 
of  an  underactuated  double  pendulum  (Acrobot)  system  and  a  fully  actuated  dou¬ 
ble  pendulum  system  is  then  presented.  The  pendulum  example  also  introduces  some 
properties  of  the  blocks  of  a  state  space  partition  (such  as  in-block  controllability  to  a 
distinguished  state  and  controlled  umbilical  paths)  which  promise  to  facilitate  the  de¬ 
sign  of  hierarchical  hybrid  control  systems.  Finally,  some  global  controllability  results 
for  nonlinear  systems  are  sketched  which  have  application  to  the  construction  of  HIBC 
partitions  for  mechanical  systems. 


1  Introduction 

In  this  paper  the  problem  of  state  quantization,  or  abstraction,  for  the  design 
of  controllers  for  continuous  systems  is  treated  as  a  hierarchical  control  prob¬ 
lem  using  the  formulation  developed  in  [6], [4]  and  [5]).  The  central  notion  in 
this  theory  is  that  of  dynamical  consistency  (DC)  wherein  an  abstract  transition 
from  one  partition  block  of  states  to  a  second  is  required  to  satisfy  the  following 
condition:  every  state  in  the  first  block  can  be  driven  along  a  trajectory  directly 
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into  the  second  block  without  excursions  into  any  other  block.  This  notion  per¬ 
mits  the  definition  of  the  finite  state  partition  machine  associated  with  a  given 
continuous  system  S  and  a  given  (finite  analytic)  state  space  partition  n  (see 
below  and  [4], [5]).  Consequently,  high  level  hierarchical  (or  abstracted)  control 
actions  maybe  be  defined  and  applied  to  the  low  level  (or  base)  system.  The 
basic  definitions  of  hierarchical  hybrid  control  theory  are  reviewed  in  Section  2 
and  we  note  that  the  recent  formulations  of  finite  bisimulations  of  continuous 
systems  ([1],[7])  involve  notions  very  similar  to  that  of  dynamical  consistency. 

We  consider  here  three  aspects  of  hierarchical  hybrid  control  in  the  context 
of  general  systems  and  in  terms  of  a  controlled  double  pendulum  example. 

First,  in  Section  3,  we  discuss  the  general  problem  of  robustness  for  the  high 
level  dynamics  of  a  partition  machine  M 71  with  respect  to  system  partition  per¬ 
turbations.  More  specifically,  we  introduce  a  theory  of  the  robustness  of  high  level 
(partition  machine)  dynamics  with  respect  to  perturbations  of  the  boundaries 
of  the  blocks  of  a  state  space  partition  n.  After  formally  defining  a  large  class 
of  admissible  perturbations  (or  deformations),  we  give  conditions  for  the  high 
level  dynamics  of  the  hierarchical  system  to  be  insensitive  to  such  deformations. 
The  condition  for  such  insensitivity  to  hold  for  sufficiently  small  perturbations  is 
that  the  hybrid  in-block  controllability  (HIBC)  condition  is  preserved  for  the  de¬ 
formed  partition  blocks.  We  note  that  it  is  precisely  the  HIBC  condition  which 
is  employed  in  the  lattice  theoretic  formulation  of  (multilayered)  hierarchical 
control  systems  in  [6], [4]  and  [5].  Furthermore,  the  problem  of  finding  conditions 
for  a  partition  it  to  be  HIBC  is  equivalent  to  that  of  giving  conditions  for  the 
global  controllability  of  the  given  system  within  the  subsets  of  the  state  space 
specified  by  the  (open  connected)  blocks  of  the  partition  ir. 

Second,  in  Section  4,  we  treat  the  construction  of  partition  blocks  and  DC 
transitions  (or  connections)  for  the  underactuated  double  pendulum  system 
(called  the  Acrobot)  and  its  fully  actuated  form  (i.e.  the  double  pendulum  with 
torques  applied  at  the  shoulder  and  the  elbow).  In  order  to  do  this  we  use 
certain  novel  state  space  decompositions,  employing  blocks  possessing  the  in¬ 
block  controllability  property  with  respect  to  distinguished  state  elements  (e.g. 
equilibrium  states)  and  those  which  are  the  tubular  neighborhoods  of  umbili¬ 
cal  controlled  trajectories.  These  constructions  promise  to  facilitate  the  design 
of  hierarchical  hybrid  control  systems.  We  also  construct  partition  blocks  by 
considering  the  evolution  of  certain  state  subsets  under  specified  controls  (in 
particular  friction);  this  gives  rise  to  boundaries  which  are  (piecewise)  invariant 
manifolds  with  respect  to  specified  sets  of  controls.  The  fully  actuated  version  of 
the  Acrobot  is  then  used  to  illustrate  such  constructions  of  HIBC  partitions  and, 
further,  their  deformation  into  HIBC  partitions.  We  note  that  in  recent  work  of 
Broucke  [1]  the  construction  of  cell  boundaries  as  invariant  sets  with  respect  to 
specified  control  laws  has  also  been  considered. 

Third,  in  Section  5,  we  sketch  some  general  controllability  results  for  non¬ 
linear  systems  and  some  energy  based  notions  which  have  application  to  the 
construction  of  HIBC  partitions  for  mechanical  systems. 
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2  Hybrid  Partition  Machines 

Consider  the  differential  system 

S:  x  =  f{x,u),  xeHtn,uelStm,u(-)eU,f  :  D  x  cr+m4r,  (1) 
where  we  assume  that 

(i)  U  is  the  set  of  all  bounded  piecewise  C?(5R1)  (q  >  1)  functions  of  time 
with  limits  from  the  right  (i.e.  functions  which  are  q  times  continuously 
differentiable,  except  possibly  at  a  finite  number  of  points  in  any  compact 
interval,  and  which  are  bounded  and  have  limits  from  the  right); 

(ii)  F  e  Crl(3tn+m)  and  for  each  u  eU,  F(x,u(t))  satisfies  a  global  Lipschitz 
condition  on  D,  uniformly  in  t  e  1ft1 ;  and 

(iii)  D  is  assumed  to  be  a  closed  set  and  to  have  a  non-empty,  path-connected 
interior. 

We  shall  refer  to  these  conditions  on  F,  D,  and  U  as  the  standard  (control  ODE) 
conditions. 

Definition  2.1  A  finite  analytic  partition  of  the  state  space  D  C  5ft”  of  (1)  is 
a  finite  pairwise  disjoint  collection  of  subsets  ir  =  {Ai, X%,  •  •  • ,  A^}  such  that 
each  Xi  is  non-empty,  open  and  path-connected,  and  is  such  that 

M 

D  =  \J(XiUdXi), 

i=  1 

where,  further,  the  boundary  dXi  of  every  block  A,  is  a  locally  finite  union  of 
connected  components  of  n  —  p  dimensional,  p  >  1,  analytic  manifolds  (possibly 
with  boundary).  17(D)  shall  denote  the  set  of  all  finite  analytic  partitions  of  D. 
For  partitions  , 7r2  e  17(D),  7r2  is  said  to  be  weaker  than  m,  denoted  7Ti  <  7T2, 
if,  for  every  A*  e  7Ti  =  {Ai,  •  ■  • ,  An},  there  exists  Yj  e  7 r2  =  (Fi,  •  •  ■ ,  Ym)  such 
that  A i  C  Yj. 

□ 

For  the  definition  of  dynamical  consistency  we  need  the  following  notion:  a 
state  y  e  dX i  fl  dXj  is  said  to  be  a  facial  (boundary)  state  of  the  pair  of  blocks 
Xj,Xj  if  y  lies  in  the  relative  interior  of  n  —  1  dimensional  connected  components 
of  the  boundaries  3 A,  and  dXj.  The  set  of  facial  (boundary)  states  is  the  set  of 
all  states  which  are  the  facial  states  of  some  pair  of  blocks. 

Definition  2.2  For  ir  e  D(D),  (Aj,  Xj)  e  it  x  7r  is  said  to  be  a  dynamically 
consistent  (DC)  pair  (with  respect  to  <S)  if  and  only  if  either  i  =  j,  or,  if  i  ^  j, 
for  all  x  in  A*,  there  exists  ux(-)  e  U,  defined  upon  [0,Tj,],0  <  Tx  <  oo,  and 
there  exists  a  facial  boundary  state  y  e  dX ,  fl  dXj,  such  that: 

(i)  Vi  e  [0,Tx),(f>(t,x,ux)  e  Xit  and  limt_T-  <f>(t,x,ux)  =  y; 
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and  for  the  state  y  in  (i)  there  exists  uy  e  U  defined  on  [0,  Ty),  0  <Ty  <  oo,  such 
that 


(ii)  Vt  e  (0,Ty),4>(t,y,Uy)  e  Xj\ 

where  <p( •,■,■)  in  (i)  and  (ii)  denotes  the  transition  function  of  the  vector  field 
/(•,■)  with  respect  to  the  control  functions  ux,uy  eU  and  the  initial  conditions 
x,y,  respectively. 

□ 


Definition  2.3  Given  7r  e  77(D),  the  hybrid  DC  partition  machine 

AT  =  =  (Xx ,  •  •  •  ,XP},  u={ui;l<i,j<  p},*"), 

based  upon  the  system  S,  is  the  finite  state  machine  defined  by  $v(Xi,  U\)  = 
Xj,  for  all  i,j,  1  <  i,j  <  |vr | ,  if  and  only  if  (Xi ,Xj)  is  DC.  77(<S)  shall  denote 
the  set  of  all  hybrid  partition  machines  of  S. 


□ 


Definition  2.4  Hybrid  In-block  Controllability 

A  hybrid  partition  machine  Mn  is  called  hybrid  in-block  controllable  (HIBC)  if 
for  every  Xi  e  tv,  and  for  all  x,y  e  Xi,  the  following  holds:  ■ 

3u(-)  e  U,  3T,  0  <  T  <  oo,  (Vt,  0  <  t  <  T,  <f>{t,  x,u)  e  Xt)  A  <j>{T,  x,  u)  =  y,  (2) 

i.e.  each  block  Xt  e  tv  is  controllable  for  the  system  S. 


□ 

The  reader  is  referred  to  [3], [5]  for  more  information  on  all  notions  introduced 
in  this  section. 


3  Partition  Deformations 

In  this  section  we  establish  conditions  under  which  the  dynamics  of  MX  are 
robust  with  respect  to  sufficiently  small  perturbations  of  the  partitions  defining 
MX .  All  of  the  definitions  and  results  here  are  taken  from  [9]. 

Definition  3.1  A  piecewise  analytic  (p.a.)  deformation  of  the  (finite  analytic) 

n 

partition  boundary  drv  =  [J  dXi  of  D  is  a  function  F  :  drv  ->  D  with  the 

»=  1 

following  properties 

(i)  F  is  continuous; 

(ii)  F  gives  a  1  to  1  correspondence  between  drv  and  F(d-rv); 
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(iii)  F  is  piecewise  analytic,  in  the  sense  that  for  every  block  Xi,  1  <  i  <  n, 
there  exists  a  finite  partition  {D\m}  of  the  boundary  dX,  such  that 

ki  ki  tfn 

ax{  =  u  ci  =  u  ( U  DU ). 

m= 1  m= 1  5=1 

and  such  that  the  restriction  of  the  function  F  to  D\  m,  \  <i  <n,  \  <m  < 
ki,  1  <  s  <  tm,  is  an  analytic  function;  and 

(iv)  F(8D )  =  dD. 

□ 

Definition  3.2  Let  tt  =  (Xi ,  X2,  ■  ■  • ,  Xn}  be  a  finite  analytic  partition  of  the 
set'  D  and  let  F  be  any  function  F  :  dn  — >  D  which  maps  the  partition  bound¬ 
ary  <9rr  into  D.  A  partition  tt  =  {X1,X2>-  ■  ■  ,X^,^}  of  the  set  D  is  called  a 

deformation  of  r  induced  by  F  if  and  only  if  dir  =  F(dir). 


□ 

Theorem  3.1  Let  tt  =  {Xi,Xi,  •  •  ■  ,Xn}  be  a  finite  analytic  partition  of  the 
compact  set  D  and  let  F  be  a  p.a.  deformation  of  the  partition  boundary  dr. 
Then, 

(i)  there  exists  a  unique  finite  analytic  partition  tx'f  —  {X1,X2,  •  •  • ,  |  }  of 

the  set  D  which  is  a  deformation  of  the  partition  7r  induced  by  F;  and 

(ii)  |7rF|  =  |7r|  =  n;  in  other  words,  the  cardinality  of  a  finite  analytic  partition 
is  invariant  under  piecewise  analytic  deformations. 


□ 

Definition  3.3  Let  r  be  a  deformation  of  a  partition  tt  induced  by  F,  where 
F  is  a  p.a.  deformation  of  the  partition  boundary,  r  is  called  an  e  -deformation 
of  the  partition  r  (denoted  re)  if 

||7r-7r'||=maxzea«-|k  -  F(z)||  =  e. 

□ 

Lemma  3.1  Let  r  =  {X\,X2,  •  •  • ,  Xn}  be  a  partition  of  a  compact  set  D  and 
let  it  =  {Xl,X2,  ■  ■  •  ,Xn)  be  any  deformation  of  7r  induced  by  F,  where  F  is  a 
p.a.  deformation  of  the  partition  boundary.  Then  there  exists  £*,  e*  >  0,  such 
that  if  j 1 7r — 7r  ||  <  e*,  then  for  any  i,  1  <  i  <  n,  there  exists  a  unique  j,  1  <  y  <  n, 
such  that 

(i) 

(ii)  F(dXi)  =  dx'r 
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(We  shall  call  X-  the  image  of  Xi  under  F.) 

□ 

Henceforth,  we  shall  say  that  a  deformation  tt  is  a  small  deformation  (of  it) 
if  ||7r  —  7T*  [|  <  £*,  where  e*  is  specified  by  Lemma  3.1.  Further,  by  Lemma  3.1,  for 
small  deformations  we  can  assume  without  loss  of  generality  that  Xi ,  1  <  i  <  n, 
is  the  image  of  Xj  under  F. 

Theorem  3.2  Let  it  =  {Xi,X2,  -  ■  ■  ,Xn}  be  an  HIBC  partition  of  the  set  D, 
and  let  F  be  any  p.a.  deformation  of  the  partition  boundary  of  tt  such  that  the 
induced  deformed  partition  -k  =  {X1,X2,  •  •  • ,  Xn}  is  a  small  deformation  and 
is  HIBC.  Then  there  exists  e,  e  >  0,  such  that  whenever  \\tt  -  tt  ||  <  e  it  is  the 
case  that,  for  all  i,j,  1  <i,j  <n, 

( Xi,Xj )  is  dynamically  consistent  in  the  partition  machine  MX  =>• 

(X\ ,  Xj)  is  dynamically  consistent  in  the  partition  machine  MX  ■ 

□ 

We  also  have  the  following  theorem  under  the  same  hypotheses  as  Theorem  3.2. 

Theorem  3.3  Let  tt  =  {Xx,X2,  ■  ■  ■ ,  Xn}  be  an  HIBC  partition  of  the  set  D, 
and  let  F  be  any  p.a.  deformation  of  the  partition  boundary  of  n  such  that  the 
induced  deformed  partition  tt  =  {X1,X2,  ■  ■  ■ ,  Xn}  is  a  small  deformation  and 
is  HIBC.  Then  there  exists  e,  e  >  0,  such  that  whenever  ||tt  -tt'\\  <  e  it  is  the 
case  that,  for  all  i,j,  1  <  i,j  <  n,  a  block  trajectory  from  Xi  to  Xj  exists  in  the 
partition  machine  Mx  if  and  only  if  a  block  trajectory  from  Xi  to  Xj  exists  in 
the  partition  machine  MX  . 

□ 

Theorems  3.2  and  3.3  are  illustrated  in  Figure  1  for  a  two  dimensional  system 
M;  this  system  appears  in  [8]  as  a  continuous  system  which  has  the  partition 
machine  MK.  (Mn  itself  illustrates  the  general  result  of  [8]  that  any  finite  state 
machine  may  be  obtained  as  the  partition  machine  of  some  continuous  base 
system.)  Following  the  general  construction  specified  in  [8],  a  continuous  control 
system  with  the  vector  field  displayed  in  Figure  1  is 

z  =  r(z)2G(z,u)  +  H(z)w, 


where: 

2  =  (x,y)T;  u  =  (ui,u2)t  elf2)  w  =  ( w\,w2)T  e  U2. 
ei  =  (l,0)r;  e2  =  (-±;  V3/2)T  e3  =  (-|;  -V3/2)T. 

r(z )  =  y/x2  +y2. 

3  3 

H(z)  =  ^2  II  aj(z)>  where,  for  any  z  e  Xi,  i  =  1,2,3,  aj(z)  =  0  and  aj(z), 

i=  1  i= i 
jV>' 
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j  =  1,2,3,  j  i,  is  the  projection  of  z  on  ej  in  the  direction  parallel  to  e*,, 
k  =  1,2,3,  k  ^  i,j.  In  other  words,  ah,  ah,  juj2  e  {1,2,3},  ji  #  i,  j2  ^  i,  are 
the  coordinates  of  the  point  z  in  the  basis  <  ejl ,  ej2  >. 

G(z,  u )  is  a  continuous  extension  on  the  whole  space  D  =  Sf£2  of  the  function 
g(z,  u)  defined  on  dr  in  the  following  way 

{-uje3  -u\e2,  if  z  e  ei; 

-ui^ei,  ifzee2; 

-u\e 2  -  U2ei>  if  z  e  &3- 


Observe  that  the  function  H(z)  vanishes  on  the  boundary  of  any  given  cell  dXi, 
i  =  1,2,3,  leaving  the  function  G(z)  to  determine  the  controlled  vector  field 
there.  Further,  for  any  interior  point  z  e  5ft2  —  dn,  a  control  vector  w  can  be 
chosen  in  such  a  way  that  it  compensates  the  effect  of  the  the  first  term  in  the 
differential  equation  and  hence  guarantees  the  local  controllability  at  the  point 
z. 

For  example,  in  X3  the  system  M  is  defined  by 

i  =  (2'1  -I  -  Xpji-viry-  -  VV-.)  -  + 

where  (p,  ip  e  [0;  3f],  is  the  angle  between  the  Ox  axis  and  Oz. 

We  observe  that  Figure  1  shows  the  converse  to  Theorem  3.2  to  be  false. 


4  Hybrid  Control  of  a  Double  Pendulum 

4.1  Acrobot  System 

The  Acrobot  system  (see  [10], [11])  consists  of  a  two-link  rigid  pendulum  system 
with  one  actuator  at  the  the  second  joint  (elbow)  and  a  pinned  first  joint  (shoul¬ 
der)  (see  Figure  2);  it  is  termed  an  underactuated  system  since  it  is  a  mechanical 
system  with  fewer  actuators  than  degrees  of  freedom.  The  particular  swing  up 
problem  Addressed  in  [10],  [11]  is  to  change  the  position  of  the  Acrobot  from  the 
downward  (down-down)  position  to  the  inverted  (up-up)  position  and  balance  it 
there. 

The  equations  of  motion  of  the  system  are  ([11]): 


diiQi  +  d\2q2  +  hi  +  <j>i  —  0 
d‘nqi  +  d'22<}'2  +  h2  +  <j> 2  =  r, 


where 

dn  =  m\l2cl  +  m2{l\  +  l2c 2  +  2lilc2  cos (q2))  +  I\  +  I2 
d\2  =  m2(l2  2  +  hlc  2  cos(q2))  +  h 
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K  HIBC  n  HIBC 

y  y 


Fig.  1:  Illustration  of  Theorems  3.2  and  3.3 


^21  =  d\2 

d22  =  m2 1'io,  +  h 

hi  =  -m2hlc2  sin(q2)qf  ~  2ro2Wc2  sin(g2)g2<7i 
h-2  =  m2lilc2  sin(r/2)g12 

4>i  =  (mi/ci  +m2/i)^cos(gi)  +m2Ic2<?cos(gi  +  g2) 
^>2  =  rn2lC29  cos{qi  +  q2). 


The  control  laws  for  the  Acrobot  in  [11],  and  the  references  therein,  may  be 
analyzed  in  terms  of  the  hierarchical  hybrid  control  theory  of  this  paper.  This  is 
because  the  design  philosophy  of  [11]  may  be  described,  in  general  terms,  to  be 
to  steer  the  state  of  the  system  from  one  set  of  states  (for  instance,  a  set  in  a 
neighbourhood  of  a  particular  equilibrium  state)  to  a  state  in  a  neighbourhood 
of  another  specified  equilibrium  state.  This  is  to  be  carried  out  by  invoking  a 
control  law  L\  in  a  given  feedback  class  which  is  switched  to  a  member  L2  of 
some  other  class  when  the  system  state  enters  a  specified  set. 
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It  has  been  shown  ([11])  that,  by  using  (exact)  partial  feedback  linearization, 
the  first  joint  (which  is  not  directly  actuated)  can  be  driven  by  the  coupling 
forces  arising  from  the  motion  of  the  second  joint  to  trace  any  given  reference 
trajectory  qf.  Moreover,  subject  to  such  a  control,  the  surface  {q\  —  gf;  q\  =  0} 
may  be  shown  by  use  of  the  Centre  Manifold  Theorem  to  define  an  invariant 
manifold  in  the  state  space  which  is  globally  attractive. 

The  central  joint  torque  r  is  chosen  so  that  angle  q\  converges  exponentially 
to  a  value  corresponding  to  the  upright  position,  while  the  second  pendulum 
arm  (and  its  corresponding  angle)  performs  a  periodic  oscillation  with  respect 
to  the  first  until  the  state  enters  a  neighbourhood  for  the  saddle  point  equilibrium 
{qx  =  7r  /  2;  gi  =  0}.  Subject  to  certain  bounds  on  the  initial  energy  of  the  system, 
this  set  of  states  is  a  (controlled)  basin  of  attraction  to  the  up-up  position.  So 
when  the  system  when  the  system  enters  this  set  the  overall  control  law  may  be 
changed  from  Li  to  L 2  which  consequently  stabilizes  the  Acrobot  in  the  up-up 
position. 

The  state  space  for  this  problem  is 

D  =  [0;  2vr)  x  [0;2tt)  x  [ft  x  5ft. 

Let  7r  =  {Xi,X2, ...,  Xn}  be  a  partition  (not  necessary  HIBC)  of  the  set  D.  We 
shall  call  any  block  Xi,  1  <  i  <  rn  <  n  which  is  a  neighbourhood  of  a  specified 
state  Xi  an  in  block  controllable  to  Xi  (or  IBC(xi))  block  whenever  any  state  in 


X 


Fig.  2:  Acrobot 
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X{  can  be  steered  (in  finite  time)  into  any  given  neighbourhood  of  x*  along  a 
trajectory  which  does  not  leave  the  block. 

Let  Xi  be  an  IBC(xe)  block  containing  an  arbitrary  equilibrium  state  xe;  such 
blocks  may  be  shown  to  exist  at  any  of  the  equilibrium  points  of  the  Acrobot 
system  since  it  may  be  shown  by  a  linearization  analysis  that  we  may  apply  an 
LQR  controller  at  such  a  point  for  all  sufficiently  small  angular  velocities  (whose 
magnitudes  must  be  used  to  define  each  Xi).  The  IBC(xe)  property  of  these 
blocks  is  indicated  in  Figure  3  by  the  self  loop  bearing  the  index  I. 


DD  is  in-block  controllable  to  the  equilibrium  point 


UU  is  in-block  controllable  to  the  equilibrium  point 

I'pwm 

E  is  a  tubular  neighborhood  of  paths  DD->  x“u 

S  is  a  tubular  neighborhood  of  paths  UU->  if 

is  the  friction-control-inverse  (fei)  of  UU 

X1  is  the  fei  of  the  block  DD 

DD 

Xg1  is  the  fei  of  the  block  E 
X'1  is  the  fei  of  the  blocks 


Fig.  3:  A  Partition  Machine  for  the  Acrobot  System 


Consider  the  two  equilibrium  points 


xueu  =  (jt/2;  0;  0;  0)  and  xf  =  (— vr/2;  0;  0;  0), 
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which  correspond  to  the  unstable  inverted  and  stable  downward  positions  re¬ 
spectively.  Let  UU  and  DD  denote  IBC(x™u)  and  IBC(xdd)  blocks,  respectively. 
It  is  then  possible  to  specify  two  f.a.  blocks  of  transition  states,  E  and  S,  in  such 
a  way  that 


<  UU,  S  >,  <  S,DD  >,  <  DD,  E  >,<  E,  UU  >  are  DC  pairs  . 


The  blocks  E  and  S  in  the  complement  of  UU  and  DD  are  defined  to  be  tubular 
neighborhoods  (consisting  of  piece- wise  analytic  paths)  surrounding  two  selected 
paths,  which  we  shall  call  controlled  umbilical  paths.  These  umbilical  paths  go 
from  the  neighborhoods  DD  and  UU  to  the  points  and  xdd,  respectively, 
and  hence  to  the  blocks  UU  and  DD,  respectively,  under  the  partial  feedback 
linearization  control  law.  Necessarily,  the  tubular  boundaries  of  E  and  S  are 
control  invariant  sets  under  the  piece-wise  analytic  controls  which  define  them. 
Hence  E  and  S  are  indeed  f.a.  partition  blocks,  which  we  note  are  not  in  general 
HIBC. 

Now  it  may  be  shown  that  by  applying  a  friction  iJrl  =  —7^2,  7  >  0,  an 
open  set  of  states  D  can  be  driven  into  the  open  neighborhood  DD  of  the  stable 
down-down  position.  Using  this  observation  we  can  partition  a  part  of  the  space 
D 


D  -  (E  U  (UU)  U  (DD)  U  S) 


in  the  following  way. 

Define  the  set  Xj](  to  be  the  inverse  image  of  the  block  UU  under  the  control 
uSr%,  i.e. 

X^u  =  {x;  3  T  ip(x,T,ufri)  e  UU  and 

V  t  (0  <  t  <  T)  <p{x, t, ufri)  e  (UU  UflDuluS)'  n  £>}. 

We  can  assume  without  loss  of  generality  that  Xyjj  is  connected.  (Otherwise  we 
shrink  the  UU  set  until  all  connected  components  of  the  inverse  image  are  joined 
by  trajectories  in  the  open  set  difference  between  the  old  and  the  closure  of  the 
new  UU  sets.)  Hence  Xy(  satisfies  the  hypotheses  for  a  f.a.  partition  block. 

Let  Ip},,  Xg1,  Xgl  be  analogously  defined  as  the  f.a.  inverse  images  of  the 
blocks  DD,  E,  S,  respectively.  Then,  by  construction,  DC  connections  can  be 
established  for  all  the  following  pairs: 

<  Xul,  UU  >,  <  X~1d,DD  >,<Xe\E>,<Xs\S>. 

Note,  that  by  the  uniqueness  of  the  trajectory  for  a  given  control  function,  the 
inverse  images  of  the  blocks  UU,DD,  E,S  are  disjoint.  Further,  the  closure  of 
the  union  of  all  the  disjoint  sets  defined  here  constitute  a  closed  subset  D *  of 
the  entire  state  space  D.  Thus 

7T  =  {UU,  DD,E,  s,  x^,  X^d,X^  ,  XJ1 } 


is  a  partition  of  the  set  D*. 
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As  a  result  of  the  analysis  above,  the  partition  machine  Mn  of  the  Acrobot 
is  (partly)  represented  in  the  Figure  3.  This  figure  gives  a  high  level  description 
of  a  set  of  (hierarchical  hybrid)  controlled  behaviours  of  the  Acrobat. 

4.2  Fully  Actuated  Robot 

A  closely  related  application  to  the  analysis  above  of  the  Acrobot  is  that  of  the 
fully  actuated  Acrobot,  i.e.  the  fully  actuated  double  pendulum  system.  The  only 
difference  between  this  system  and  the  Acrobot  system  is  clearly  the  presence 
of  an  input  torque  to  the  first  equation 

dwqi  +  dviq-2  +  h\  +  4>\  =T\ 

d-2  i  <i\  +  dyi'di  +  h%  +  (j>2  —  T2. 

where  dy,  hi,  cf>i,  i,j  =  1, 2,  are  defined  in  the  same  way  as  in  the  underactuated 
case.  The  difference  between  this  system  and  the  Acrobot  system  is  the  presence 
of  an  input  torque  to  the  first  equation. 

Assume  that  the  term  di2  is  nonzero  for  all  values  of  q2.  Under  this  condition, 
which  is  called  strong  inertial  coupling  in  [11], 


92  —  -~^(dnqi  +h\  +  cj>\  —T\) 

and 

d\q\  +  hi  +  (j>\  —  t2  —  T\  d22  /  d\2, 

where 

d\  =  d2 1  —  d22dn  /  d\2, 

h\  —  h2  —  d22hi/di2, 

^1  =  <$>■!  — d22<t>\  ! d\2- 

A  feedback  linearizing  controller  can  therefore  be  defined  according  to 
n  =  hi  +  (f>i  4-  d\\V\  +  di2v2, 

T2  =  d\V\  +h\+(j>i+  T\  d‘22  /  d\2, 

where  Vi ,  v2  are  additional  outer  loop  control  inputs.  Using  this  forced  lineariza¬ 
tion,  the  system  can  be  represented  by  the  four  differential  equations 


X\  =  x2  x2  =  V\  , 
X3  ~  X4  X4  ^  Vi2’i 

where  x\  =  q\,  x2  —  qi,  x3  =  q2,  x4  =  q2. 
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For  this  problem  the  state  space  D  will  be  taken  to  be  a  specified  compact 
subset  of  5ft4,  where  the  states  are  identified  (in  the  projection  into  [—7 r;  tt)  x  5ft  x 
[ — 7r;  7t)  x  5ft)  whenever  they  have  identical  coordinates  except  for  differences  of 
multiples  of  2tt  in  either  the  first  or  the  third  or  both  of  these  coordinates. 

Let  Rj,  R]1,  0  <  i  <  n,  0  <  j  <  m,  for  some  strictly  positive  integers  n  and 
m,  be  any  two  sequences  of  real  values  such  that 

(i)  Rl  =  0  =  tf'=7r  =  .R"; 

(ii)  R{_x  <  R{,  for  any  i,  1  <  i  <  n; 

(iii)  Rj-i  <  Rj1,  for  any  j,  1  <  j  <  m. 

Consider  a  collection  of  sets 

7r  =  {Xij\  0  <  i  <  n,0  <  j  <  m},  ||7r||  =  nm, 

where  each  Xij  is  defined  in  the  following  way 

Xij  =  {(xi,X2,X3,X4);  J R/_!  <  x\  +x%<  Rl;  R] £j  <  x%  +  x\  <  R1/}. 

Each  set  Xij  is  non-empty,  path-connected  (since  any  two  points  a,b  e  Xij 
lie  on  the  surface  of  a  torus  which  is  a  path-connected  subset  of  X y)  and  open. 
Further,  the  boundary  of  each  such  set  is  a  finite  union  of  connected  analytic 
manifolds.  Any  two  sets  of  the  collection  tv  are  disjoint  by  the  definition.  The 
union  of  all  Xy  constitute  the  whole  state  space  D.  Hence,  by  Definition  2.1,  it 
is  a  finite  analytic  partition  of  D. 


Fig.  4:  The  direct  product  of  two  annular  blocks 


Note  that  each  block  in  the  collection  it  is  equal  to  the  direct  product  of  two 
annular  blocks,  see  Figure  4. 
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Using  the  analogy  with  the  annular  partition  for  the  double  integrator  system 
([5]),  it  can  be  verified  that  7r  is  an  HIBC  partition  of  D,  i.e.  each  block  Xy  is 
controllable. 

Any  two  adjacent  blocks  XjUl,  Xi2j2,  i.e.  such  that  Xi1j1  n  X ^  0,  are 
mutually  dynamically  consistent  since  motions  arbitrarily  close  to  radial  motions 
are  possible  within  and  between  blocks. 

Let  X,  Y  be  two  adjacent  blocks  of  a  f.a.  partition  ct(D).  Consider  a  piece- 
wise  analytic  deformation  a  of  a  such  that 

(i) X'UF'  =IuF; 

(ii)  lex'  and  Y'  C  F; 

(iii)  for  any  block  Z  e  cr,  such  that  Z  ^  X,Y,  Z  —  Z. 

We  shall  call  such  a  deformation  a  basic  deformation. 

Let  o  be  a  basic  deformation  of  a  f.a.  partition  a  and  let  a  be  such  that, 
for  a  given  differential  control  system  S  satisfying  the  standard  conditions,  the 
distinguished  blocks  X,  Y  satisfy 

(i)  for  any  state  y  e  Y  -  Y'  there  exists  a  controlled  path  of  S  passing  from 
a  state  in  X  to  y  and  from  y  into  X  which  does  not  meet  the  deformed 
boundary; 

(ii)  for  any  two  distinct  states  in  F  which  are  connected  by  a  controlled  path  of 
S  meeting  the  deformed  boundary  there  exists  a  controlled  path  connecting 
these  states  which  lies  in  F  . 

We  shall  call  such  a  deformation  a  control  paths  dependent  deformation. 

One  can  now  prove  that  any  control  paths  dependent  deformation  a  ( D )  of 
an  HIBC  partition  cr(D)  is  an  HIBC  partition  of  the  state  space  D.  Moreover,  if 
control  paths  dependent  deformations  have  been  applied  to  cr  a  finite  number  of 
times,  then  the  resulting  deformation  stays  within  the  class  of  HIBC  partitions 
of  D. 

In  the  particular  case  of  the  fully  actuated  Acrobot  it  may  be  verified  that 
such  control  paths  dependent  deformations  n  exist  for  the  toroidal  partition 
7T  described  above.  This  follows  from  the  existence  of  control  paths  dependent 
deformations  for  the  annular  partition  for  the  double  integrator  system  and  from 
the  fact  that  each  block  Xy  e  7r  can  be  represented  as  the  direct  product  of  two 
annular  blocks.  But  any  two  adjacent  blocks  of  7r  are  dynamically  consistent 
and  so  we  can  conclude  from  an  application  of  Theorem  3.3  that  the  same  holds 
for  any  partition  7r*  obtained  after  a  finite  number  of  control  paths  dependent 
deformations. 
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5  Conditions  Ensuring  the  HIBC  Property  of  a 
Partition 

Given  a  differential  control  system  S  satisfying  the  standard  conditions  (with 
q  =  1),  we  define  a  (continuous)  positive  fountain  to  be  a  state  such  that  (i)  there 
exits  a  neighborhood  of  x  such  that  all  open  ball  neighborhoods  of  x  which  it 
contains  are  such  that  the  accessibility  set  (for  all  finite  times)  from  x  relative  to 
each  neighborhood  (i.e.  via  system  trajectories  contained  in  each  neighborhood) 
is  open  when  the  state  x  is  deleted,  and  (ii)  the  radius  of  the  largest  open  ball 
neighborhood  of  x  for  which  (i)  holds  is  continuous  in  x. 

A  (continuous)  negative  fountain  is  a  state  which  satisfies  the  analogous  prop¬ 
erty  to  that  above  with  coaccessibility  replacing  accessibility.  Finally,  a  (contin¬ 
uous)  fountain  is  state  which  is  both  a  positive  and  a  negative  (continuous) 
fountain.  Henceforth  the  adjective  continuous  will  be  dropped  from  the  term 
fountain,  in  other  words  all  fountains  will  be  assumed  to  be  continuous. 

It  is  proved  in  [2]  that  if  the  open  connected  state  space  X  of  a  differential 
control  system  is  such  that  (i)  every  state  is  a  fountain,  and  (ii)  for  every  state 
x  e  X  there  exists  a  control  function  ux  such  that  x  lies  in  the  positive  omega 
set  of  itself  (i.e.  x  lies  in  the  closure  of  the  forward  trajectory  from  x  under  ux), 
then  the  state  space  X  is  controllable.  A  special  case  of  this  result  is  that  where 
every  state  lies  on  some  nontrivial  controlled  closed  orbit  in  X. 

We  see  that  by  an  application  of  this  result  a  finite  analytic  partition  where 
each  block  satisfies  the  conditions  (i)  and  (ii)  is  a  HIBC  partition. 

Consider  next  Hamiltonian  systems  of  the  form 

q  =  dH/dp, 
p  =  —dH/dq  +  u, 

where  H  is  twice  continuously  differentiable.  Define  an  energy  slice  for  such  a 
system  as  a  connected  subset  of  the  state  space  for  which  the  values  of  the 
Hamiltonian  range  over  a  specified  open  interval  of  the  real  line.  Then  it  is 
shown  in  [2]  that  a  Hamiltonian  system  where  (i)  all  equilibria  of  the  system 
under  u  =  0  are  isolated,  and  (ii)  all  states  are  fountains,  is  such  that  any 
energy  slice  with  compact  closure  is  controllable. 

An  application  of  this  result  to  the  fully  actuated  Acrobot  problem  permits 
the  construction  of  HIBC  partitions,  however  the  utility  of  blocks  specified  as 
energy  slices  is  yet  to  be  evaluated. 
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Abstract.  This  paper  investigates  how  formal  techniques  can  be  used 
for  the  analysis  and  verification  of  hybrid  systems  [1,5,7,16]  —  systems 
involving  both  discrete  and  continuous  behavior.  The  motivation  behind 
such  research  lies  in  the  inherent  similarity  of  the  hierarchical  and  decen¬ 
tralized  control  strategies  of  hybrid  systems  and  the  communication  and 
operation  protocols  used  for  distributed  systems  in  computer  science. 
This  paper  focuses  on  the  use  of  hybrid  I/O  automata  [11,12]  to  model, 
analyze,  and  verify  safety-critical  hybrid  systems  that  use  emergency 
control  subsystems  to  prevent  the  violation  of  their  safety  requirements. 
The  paper  is  split  into  two  parts.  First,  we  develop  an  abstract  model  of 
a  protector  —  an  emergency  control  component  that  guarantees  that  the 
physical  plant  at  hand  adheres  to  a  particular  safety  requirement.  The 
abstract  protector  model  specialized  to  a  particular  physical  plant  and  a 
particular  safety  requirement  constitutes  the  specification  of  a  protector 
that  enforces  the  particular  safety  property  for  the  particular  physical 
plant.  The  correctness  proof  of  the  abstract  protector  model  leads  to 
simple  correctness  proofs  of  the  implementations  of  particular  protec¬ 
tors.  In  addition,  the  composition  of  independent  protectors,  and  even 
dependent  protectors  under  mild  conditions,  guarantees  the  conjunction 
of  the  safety  properties  guaranteed  by  the  individual  protectors  being 
composed.  Second,  as  a  case  study,  we  specialize  the  aforementioned  ab¬ 
stract  protector  model  to  simplified  versions  of  the  personal  rapid  transit 
system  (PRT  2000™)  under  development  at  Raytheon  Corporation  and 
verify  the  correctness  of  overspeed  and  collision  avoidance  protectors. 
Such  correctness  proofs  are  repeated  for  track  topologies  ranging  from  a 
single  track  to  a  directed  graph  of  tracks  involving  Y-shaped  merges  and 
diverges. 
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1  Introduction 

The  recent  trend  of  system  integration  and  automation  has  encouraged  the  study 
of  hybrid  systems  —  systems  that  combine  continuous  and  discrete  behavior.  Al¬ 
though  the  individual  problems  of  continuous  and  discrete  behavior  have  been 
extensively  analyzed  by  control  theory  and  formal  analysis,  respectively,  their 
combination  has  recently  been  aggressively  studied.  In  particular,  the  automa¬ 
tion  in  various  safety-critical  systems,  such  as  automated  transportation  systems, 
has  indicated  the  need  for  formal  approaches  to  system  analysis,  design,  and  veri¬ 
fication.  Automated  highway  systems  [2,8],  personal  rapid  transit  systems  [6,17], 
and  air  traffic  control  systems  [9, 15]  have  served  as  benchmark  problems  for  the 
development  of  techniques  to  analyze,  design,  and  verify  hybrid  systems. 

Many  of  the  safety-critical  systems  in  use  today  abide  by  the  engineering 
paradigm  of  using  an  emergency  control,  or  protection,  subsystem  to  prevent 
the  violation  of  the  system’s  safety  requirements.  In  this  paper  we  present  a 
formal  framework  for  the  analysis  of  systems  that  adhere  to  this  engineering 
paradigm.  The  framework  is  used  to  prove  the  correctness  of  such  protection 
subsystems  in  an  effort  to  provide  indisputable  system  safety  guarantees.  The 
formal  approach  to  the  analysis  of  such  systems  has  several  advantages.  Formal 
analysis  yields  a  precise  specification  of  the  system  and  its  safety  requirements, 
provides  insight  as  to  the  location  of  possible  design  errors,  and  minimizes  the 
duplication  of  verification  effort  when  such  errors  are  corrected.  The  technique 
of  system  validation  through  exhaustive  testing  lacks  the  insightful  feedback  and 
requires  full-fledged  regression  testing  when  design  errors  are  detected. 

In  this  paper,  we  use  hybrid  I/O  automata  [11, 12]  —  an  extension  of  timed 

I/O  automata  [4, 14]  —  to  define  an  abstract  model  of  a  protectoi - a  subsystem 

that  guarantees  that  the  physical  plant  adheres  to  a  particular  safety  require¬ 
ment.  The  abstract  protector  model  is  parameterized  in  terms  of  the  physical 
plant,  the  safety  requirement,  and  several  other  quantities.  The  instantiation  of 
the  abstract  protector,  obtained  by  specifying  the  abstract  protector’s  param¬ 
eters,  constitutes  the  specification  of  a  protector  that  guarantees  a  particular 
safety  property  for  a  particular  physical  plant  model.  The  proof  of  correctness 
of  the  abstract  protector  model  minimizes  the  effort  in  verifying  the  correct 
operation  of  a  particular  protector  implementation.  In  fact,  such  correctness 
proofs  get  reduced  to  simple  simulations  from  the  protector  implementations  to 
the  particular  instantiation  of  the  abstract  protector  model.  As  a  case  study, 
we  apply  the  formal  framework  developed  towards  the  verification  of  overspeed 
and  collision  protection  subsystems  for  simplified  models  of  the  personal  rapid 
transit  system  (PRT  2000™)  under  development  at  Raytheon  Corporation.  The 
case  studies  presented  in  this  paper  extend  the  work  of  Weinberg,  Lynch,  and 
Delisle  [17]  by  introducing  a  powerful  formal  framework  that  allows  more  com¬ 
plete  system  models  to  be  used.  The  actual  PRT  2000™  system  is  comprised 
of  4-passenger  vehicles  that  travel  on  an  elevated  guideway  of  tracks  involving 
Y-shaped  merges  and  diverges  and  provide  point-to-point  passenger  transporta¬ 
tion.  In  this  treatment,  we  verify  the  correct  operation  of  overspeed  and  collision 
avoidance  protectors  for  track  topologies  ranging  from  a  single  track  to  a  directed 
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graph  of  tracks  involving  Y-shaped  merges  and  diverges.  A  detailed  treatment 
of  the  work  presented  in  this  paper  can  be  found  in  Ref.  6. 

2  Hybrid  I/O  Automata 

A  hybrid  I/O  automaton  A  is  a  (possibly)  infinite  state  model  of  a  system  involv¬ 
ing  both  discrete  and  continuous  behavior.  The  automaton  A  =  ( U ,  X,  Y,  Ein, 
E,ni,  Eout ,  0,  V,  W)  consists  of  three  disjoint  sets  U,  X,  and  Y  of  variables  ( in¬ 
put ,  internal,  and  output  variables,  respectively),  three  disjoint  sets  Etn,  Emt, 
and  Eout  of  actions  {input,  internal,  and  output  actions,  respectively),  a  non¬ 
empty  set  0  of  initial  states,  a  set  V  of  discrete  transitions  and  a  set  W  of 
trajectories  over  V,  where  E  =  Ein  u  Eint  U  Eout  and  V  =  U  U  X  U  Y.  The 
initial  states,  the  discrete  transitions,  and  the  trajectories  of  any  HIOA  A  must 
however  satisfy  several  technical  conditions  which  are  omitted  here.  For  a  de¬ 
tailed  presentation  of  the  HIOA  model,  the  reader  is  referred  to  Refs.  11  and 
12. 

Variables  in  the  set  V  are  typed;  that  is,  each  variable  v  G  V  ranges  over 
the  set  of  values  type{v).  A  valuation  of  V,  also  referred  to  as  a  state  of  A,  is 
a  function  that  associates  to  each  variable  v  of  V  a  value  in  type(v).  The  set  of 
all  valuations  of  V,  or  equivalently  the  set  of  all  states  of  A,  is  denoted  by  V, 
or  equivalently  states(A).  Letting  v  G  V  and  Sv  C  type{v),  we  use  the  notation 
v  :G  Sv  to  denote  the  assignment  of  an  arbitrary  element  of  the  set  Sv  to  the 
variable  v.  Similarly,  letting  Sv  C  V,  we  use  the  notation  V  :G  Sv  to  denote 
the  assignment  of  an  element  of  the  set  type(v )  to  the  variable  v,  for  each  v  in 
V,  such  that  the  resulting  valuation  of  V  is  an  arbitrary  element  of  the  set  V 
Letting  s  be  a  state  of  A,  i.e.,  s  G  V ,  and  V'  C  V,  we  define  the  restriction 
of  s  to  V',  denoted  by  s[V',  to  be  the  valuation  s'  of  the  variables  of  V'  in 
s.  Letting  X  C  V,  we  say  that  X  is  V' -determinable  if  for  all  x  G  X  and 
s  G  V,  such  that  x\V'  =  s[V',  it  is  the  case  that  s  G  X.  The  continuous  time 
evolution  of  the  valuations  of  the  variables  in  V  is  described  by  a  trajectory  w 
over  V;  that  is,  a  function  Tj  -»  V,  where  Tj  is  a  left-closed  interval  of  R-° 
with  left  endpoint  equal  to  0.  The  limit  time  of  w,  denoted  by  w.ltime,  is  defined 
to  be  the  supremum  of  the  domain  of  w,  dom{w) .  We  define  the  first  state  of  a 
trajectory  w,  denoted  by  w.j state,  to  be  the  state  w{ 0).  Moreover,  if  the  domain 
of  a  trajectory  w  is  right-closed,  then  we  define  the  last  state  of  w,  denoted  by 
w.lstate,  to  be  the  state  w(w.ltime). 

A  hybrid  execution  fragment  a  of  A  is  a  finite  or  infinite  alternating  sequence 
w0aiWia2W2  ■  ■  ■ ,  where  Wi  G  W,  a,  G  E,  and  if  Wi  is  not  the  last  trajectory  of  a 
then  Wi  is  right-closed  and  the  discrete  transition  [wi .  Istate,  a,+i ,  Wi+i  .f state)  is 

in  V,  or  equivalently  Wi. Istate  . ai4-1  >AWi+i.f state.  If  wo-f state  G  0  then  a  is  a 

hybrid  execution  of  A.  A  hybrid  execution  a  of  A  is  finite  if  it  is  a  finite  sequence 
and  the  domain  of  its  final  trajectory  is  a  right-closed  interval  and  admissible 
if  a.ltime  =  oo.  If  R  C  states{A )  and  s,s'  G  R,  then  s'  is  R-reachable  from  s 
provided  that  there  is  a  hybrid  execution  fragment  of  A  that  starts  in  s,  ends  in 
s',  and  all  of  whose  states  are  in  the  set  R. 
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The  hybrid  trace  of  a  hybrid  execution  fragment  a  of  A,  denoted  by  h-trace(a), 
is  the  sequence  obtained  by  projecting  a  onto  the  external  variables  of  A  and 
subsequently  removing  all  inert  internal  and  environment  actions.  The  set  of 
hybrid  traces  of  A,  denoted  by  h-traces(A),  is  the  set  of  hybrid  traces  that  arise 
from  all  the  finite  and  admissible  hybrid  executions  of  A. 

A  superdense  time  in  an  execution  fragment  a  of  A  is  a  pair  (i,  t),  where 
t  <  Wi.ltime.  We  totally  order  superdense  times  in  the  execution  fragment  a 
lexicographically.  An  occurrence  of  a  state  s  in  an  execution  fragment  a  of  A 
is  a  triple  (i,t,  s)  such  that  (i,  t)  is  a  superdense  time  in  a  and  s  =  n>j (t) .  State 
occurrences  in  a  are  ordered  according  to  their  superdense  times.  If  S  is  a  set 
of  states  of  A  and  a  is  an  execution  fragment  of  A,  then  past(S,  a)  is  the  set  of 
state  occurrences  (i,  t,  s )  in  a  such  that  either  s  E  S  or  there  is  a  previous  state 
occurrence  ( i',t',s ')  in  a  with  s'  E  S. 

Two  HIOA  Ai  and  A2  are  compatible  if  XiOVj  =  YiDYj  =  T'|nt fi Ej  =  E°utD 
E°ut  =  0,  for  i,j  E  {1, 2},i  ^  j.  If  Ai  and  A2  are  compatible  then  their  compo¬ 
sition  Ax  x  A2  is  defined  to  be  the  tuple  A  =  (U,  X,  Y,  Ezn,  Emt,  Eout,  0,  T>,  W) 
given  by  U  =  ( Ux  U  U2 )  -  (Yi  U  Y2),  X  =  Xx  U  X2,  Y  =  Yj  U  Y2,  Ein  = 
(E[n  U  X’|n)  -  (E?ut  U  E%ut),  Eint  =  E{nt  U  Ei,nt,  Eout  =  E?ut  U  E^ut,  6  =  {s  E 
V  \  s\Vx  E  &x  A  s\V2  E  02}  and  sets  of  discrete  transitions  V  and  trajecto¬ 
ries  W  each  of  whose  elements  projects  to  discrete  transitions  and  trajectories, 
respectively,  of  Ax  and  A2 . 

Two  HIOA  Ax  and  A2  are  comparable  if  they  have  the  same  external  interface, 
i.e.,  Ux  =  Uit  Yi  =  Y2,  E[n  =  Ein,  and  E°ut  =  E?2ut.  If  Ax  and  A2  are 
comparable,  then  Aj.  <  A2  is  defined  to  denote  that  the  hybrid  traces  of  Ax 
are  included  in  those  of  A2;  that  is,  Ax  <  A2  =  h-traces(Ax)  C  h-traces(A2) .  If 
Ax  <  A2 ,  then  we  say  that  Ax  implements  A2 . 

3  Protected  Plant  Systems 

A  protected  plant  system  is  modeled  abstractly  as  a  physical  plant  interacting 
with  a  protection  system.  The  protection  system  is  modeled  as  the  composition 
of  a  set  of  protectors  each  of  which  is  supposed  to  enforce  a  particular  safety 
requirement  of  the  physical  plant.  Our  model  is  abstract  in  the  sense  that  it  does 
not  specify  any  of  the  details  or  safety  requirements  of  the  physical  plant. 

The  physical  plant  and  each  of  the  protectors  are  modeled  as  HIOA.  The 
physical  plant  PP  is  an  automaton  that  is  assumed  to  be  interacting  with  the 
protectors  through  the  set  J  of  communication  channels,  which  are  referred  to 
as  ports.  The  input  action  set  E%pP,  the  output  action  set  Epp,  and  the  input 
variable  set  Upp  are  partitioned  into  subsets  Epp  ,  Epp. ,  and  Uppj ,  respectively, 
one  for  each  port  j.  We  use  the  letter  p  to  denote  a  state  of  PP  and  P  to  denote 
a  set  of  states  of  PP.  A  protector  A  for  the  physical  plant  PP  and  the  port  set 
K  C  J  is  an  automaton  that  is  compatible  with  PP  and  whose  output  actions  are 
exactly  the  input  actions  of  PP  on  ports  in  K,  whose  output  variables  are  exactly 
the  input  variables  of  PP  on  ports  in  K,  and  all  of  whose  input  actions  and  input 
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variables  are  outputs  of  PP.  It  can  easily  be  shown  that  the  composition  of  two 
distinct  protectors  is  itself  a  protector. 

Letting  S,  R,  and  G  be  particular  sets  of  states  of  PP,  a  protector  automa¬ 
ton  A  for  PP  and  ports  K  guarantees  G  in  PP  from  S  given  R  provided  that 
every  finite  execution  of  the  composition  PP  x  A  starting  in  a  state  in  S  that 
only  involves  states  in  R  ends  in  a  state  in  G  regardless  of  the  inputs  that  ar¬ 
rive  at  PP  on  ports  other  that  those  in  K.  Two  protectors  are  dependent,  if  the 
correct  operation  of  one  relies  on  the  correct  operation  of  the  other,  and  inde¬ 
pendent,  otherwise.  The  following  theorems  express  the  substitutivity  condition 
—  the  condition  under  which  the  implementation  of  a  protector  is  correct  with 
respect  to  its  specification  —  and  the  compositional  conditions  —  conditions 
under  which  the  composition  of  independent  or  dependent  protectors  guaran¬ 
tees  the  conjunction  of  the  safety  properties  guaranteed  by  the  protectors  being 
composed. 

Theorem  1  (Substitutivity).  Let  Ai  and  A2  be  two  protector  automata  for 
the  same  port  set  K  of  a  physical  plant  automaton  PP,  and  suppose  that  Aj  < 
A2 .  If  A2  guarantees  G  in  PP  from  S  given  R,  then  Ai  guarantees  G  in  PP  from 
S  given  R. 

Theorem  2  (Independent  Protector  Composition) .  Suppose  that  Ax ,  A2 , 
...  ,  Ak  are  protector  automata  for  a  physical  plant  automaton  PP,  with  respec¬ 
tive  port  sets  Kx,K2,  ...  ,  Kk,  where  KiCiKi >  =  0,  for  all  i,  i'  6(1,...,  k},  i  ^  i' . 
Suppose  that  each  of  the  protectors  Ai,  for  alii  £  {1, . . .  ,  k},  guarantees  Gi  from 
Si  given  Ri.  If  the  protectors  AX,A2,...  ,Ak  are  compatible,  then  their  composi¬ 
tion  f]  i  s  >ky  Ai  is  a  protector  for  PP  that  guarantees  fl  i  e  {1  k}  Gi  from 
fli€ {1,...,*}  Si  given  (] ie{1>k)  R{. 

Theorem  3  (Dependent  Protector  Composition).  Suppose  that  A\,Ai, 
...  ,  Ak  are  protector  automata  for  a  physical  plant  automaton  PP,  with  respec¬ 
tive  port  sets  Kx,K2,  ■  ■  ■  ,Kk,  where  KiOKi *  =  0,  for  all  i,i'  £  {1, . . .  ,  k},i  ^  i'. 
Suppose  that  each  of  the  protector  automata  Ai,  for  alii  £  {1, ...  ,  k},  guarantees 

Gi  from  Si  given  Ri  f|  (f)  v  e  {1,...  ,*>,?,«  Gv). 

Assume  that  a  is  any  finite  execution  of  the  system  PP  x  i  e  {1  k} 
starting  from  a  state  in  D»e{i, and  all  of  whose  states  are  in  the  set 
nie  Ri-  Then,  one  of  the  following  holds: 

1.  Every  state  in  a  is  in  fj  i  e  ^  ky  Gi. 

2.  The  finite  execution  a  can  be  written  as  Qi ct2,  where 

(a)  all  state  occurrences  in  Qi ,  except  possibly  the  last,  are  in  the  set  of  states 

0  i  £  {1,...  ,*;}  Gi, 

(b)  if  the  last  state  occurrence  in  ai  is  in  Gi,  for  some  i  £  {1,. . .  ,  A},  then 
there  exists  i'  £  {1, ...  ,k},i'  ^  i,  such  that  the  last  state  occurrence  in 
Qi  is  in  Gi> ,  and 

(c)  all  state  occurrences  in  Q2,  except  possibly  the  first,  are  in  the  set  of 
states  Die/  pastfGi,  a),  for  some  I  C  {1, . . .  ,  k},  where  |/|  >  2. 
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In  loose  terms,  Theorem  3  states  that  the  composition  of  dependent  protectors 
guarantees  the  conjunction  of  the  safety  properties  guaranteed  by  the  protectors 
being  composed  provided  a  single  action  or  trajectory  of  the  composed  system 
can  cause  the  violation  of  at  most  one  of  the  safety  properties  guaranteed  by  the 
protectors  being  composed. 


4  An  Abstract  Protector 

The  abstract  protector  automaton  is  parameterized  in  terms  of  the  automaton 
PP,  the  subsets  R,  G,  and  S  of  the  states  of  PP,  the  port  index  j,  and  the  positive 
real-valued  sampling  period  d.  The  PP  automaton  represents  the  physical  plant 
being  modeled.  The  set  R,  also  referred  to  as  the  set  of  reliance ,  is  the  set  of  states 
to  which  we  restrict  the  states  of  the  PP  automaton  while  considering  a  particular 
protector.  This  set  is  usually  comprised  of  states  satisfying  a  particular  property 
of  the  physical  plant  that  is  required  by  the  protector  under  consideration.  The 
set  G,  also  referred  to  as  the  set  of  guarantee ,  is  the  set  of  states  to  which  the 
protector  is  designed  to  constrain  the  PP  automaton.  The  set  S  is  a  set  of  states 
from  which  the  protector  under  consideration  is  said  to  guarantee  G  given  R; 
that  is,  given  that  the  states  of  the  PP  automaton  are  restricted  to  the  set  R, 
the  protector  guarantees  that  every  finite  execution  starting  from  an  initial  state 
in  S  ends  in  a  state  in  G.  The  port  index  j  and  the  sampling  period  d  denote  the 
port  and  the  sampling  period  with  which  the  abstract  protector  interacts  with 
the  PP  automaton.  Thus,  an  instantiation  of  the  abstract  protector  automaton 
Abs(PP,  S,  R,  G,j,  d)  is  obtained  by  specifying  the  parameters  PP,  etc. 

To  begin,  we  define  several  functions  and  sets  that  are  useful  in  the  definition 
of  the  abstract  protector  Abs(PP,S,R,G,j,d).  Although,  formal  definitions  of 
these  functions  and  sets  are  presented  in  Table  1,  their  informal  interpretations 
follow.  First,  we  define  a  function,  futurePPRj ,  that  yields  the  set  of  states  of 
PP  that  are  i?-reachable  from  the  given  subset  of  R  within  an  amount  of  time 
in  the  given  subset  of  E-° ,  under  the  constraint  that  no  input  actions  arrive  on 
port  j  of  the  PP  automaton.  We  define  a  function,  no-opPP  R  j,  which  yields,  for 
a  given  state  in  R,  the  set  of  input  actions  on  port  j  of  the  PP  automaton  that 
do  not  affect  the  state  of  the  PP  automaton,  provided  they  are  executed  prior  to 
either  time-passage,  or  other  input  actions  on  port  j.  For  any  state  p  in  R,  the 
input  actions  in  the  set  no-opPPRj(p)  axe  referred  to  as  no-op  input  actions  on 
port  j  of  PP  for  the  state  p.  We  define  a  set,  very-safePP  R  G  j ,  which  is  comprised 
of  the  states  of  PP  that  satisfy  R  and  from  which  all  J?-reachable  states  of  PP 
with  no  input  actions  on  port  j  are  in  G.  The  set  very-safe  PPRGj  may  be 
interpreted  as  the  set  consisting  of  the  states  from  which  the  PP  automaton  is 
bound  to  remain  within  the  set  G  provided  that  it  remains  within  the  set  R  and 
the  protector  on  port  j  does  not  retract  or  issue  additional  protective  actions. 
We  define  a  set,  safePPRGp  which  is  comprised  of  the  states  of  PP  that  satisfy 
R  and  from  which  the  protector  on  port  j  has  a  “winning  protective  strategy” ; 
that  is,  for  any  state  p  in  safePP  R  Gj  there  exists  an  input  action  on  port  j 
of  the  PP  automaton  whose  immediate  execution  —  its  execution  prior  to  any 
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Table  1  Terminology  for  the  abstract  protector  Abs(PP,S,R,G,j,d). 
future  PPR-  :  V(R)  x  F^R-0)  — >  V(R),  defined  by: 

p  G  futurePP  R  i (P, T),  where  P  C  R  and  T  C  R-°,  if  and  only  if  p  is  R-reachable 
from  some  p'  €  P  via  a  finite  execution  fragment  a  of  PP  with  no  input  actions 
on  port  j  and  with  a.ltime  G  T. 
no-opPP  Rj  :  R  -4  'P(EPPj),  defined  by: 

7 r  G  no-op PP  R  j  (p)  if  and  only  if  7r  is  an  input  action  on  port  j  of  PP  such  that  for 
all  p' ,  p"  G  R  satisfying  p'  G  future PP  R  ,-(p,  0)  and  p'  -^PP  p" ,  it  is  the  case  that 

p  =p  . 

very-safePPI l  G  i  C  R,  defined  by: 

p  G  very-safePptR  G  .j  if  and  only  if  future  PPRj  (p,K-°)CG. 
safePP  I jiG  •  C  ft,  defined  by: 

p  G  sa}ePP  R  G  i  if  and  only  if  both  of  the  following  hold: 

1.  futurePP  R  j(j>,  0)  C  G. 

2.  There  exists  an  input  action  7r  on  port  j ,  such  that  for  every  p',p”  G  ft 
satisfying  p'  G  futurePPRj(p,0)  and  p'  -^PP  p" ,  it  is  the  case  that  p"  G 
uery-safePPRGj. 

safePP  R  G j  :  E,PPj  -4  V{R),  defined  by: 

p  G  so.fePP  R  Gj  (it)  if  and  only  if  both  of  the  following  hold: 

1.  futurePPRj(p,0)  C  G. 

2.  For  every  p',p"  G  ft  such  that  p'  G  future PP  R  ]  (p,  0)  and  p'  —^pp  p" ,  it  is  the 
case  that  p"  G  very-&afePP  R  G  ] . 

delay-safePP  R  Gi  :  R-°  -4  'P(ft),  defined  by: 

p  G  delay-safePP  R  Gi{t)  if  and  only  if  both  of  the  following  hold: 

1.  futurePPtRJ'(j),[6,t])  C  G. 

2.  future PP  R  3  (p,  t)  C  safePPJtGJ. 


time-passage  with  the  possibility  that  its  execution  follows  an  arbitrary  number 
of  discrete  actions  other  than  input  actions  on  port  j  —  guarantees  that  all 
subsequent  f?-reachable  states  of  PP  with  no  input  actions  on  port  j  are  in  G; 
that  is,  the  state  following  the  execution  of  the  particular  input  action  of  PP 
on  port  j  is  in  the  set  very-safe pP  R  Gj.  We  overload  the  notation  safePP  R  G  j 
by  defining  a  function,  safePP  R  G  j,  which  yields  the  states  of  PP  that  satisfy  R 
and  for  which  the  immediate  execution  of  the  given  input  action  on  port  j  —  its 
execution  prior  to  any  time-passage  with  the  possibility  that  its  execution  follows 
an  arbitrary  number  of  discrete  actions  other  than  input  actions  on  port  j  — 
guarantees  that  all  subsequent  f?-reachable  states  of  PP  with  no  input  actions 
on  port  j  are  in  G;  that  is,  the  state  following  the  execution  of  the  given  input 
action  on  port  j  is  in  the  set  very-safePP  RtG  j.  Finally,  we  define  a  function, 
delay-safePP  R  Gj,  which  yields  the  set  of  states  of  PP  that  satisfy  R  and  for 
which  all  states  .R-reachable  within  the  given  amount  of  time  and  with  no  input 
actions  on  port  j  are  in  G,  and  all  states  -R-reachable  in  exactly  the  given  amount 
of  time  and  with  no  input  actions  on  port  j  are  in  safePP  R  G  y 

We  proceed  by  stating  the  various  assumptions  made  about  the  physical 
plant  PP  and  the  abstract  protector  Abs(PP,S,R,G,j,d).  We  assume  that  the 
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Fig.  1  Sensor{PP,  S,  R,  G,  j, 

d)  automaton  definition. 

Actions:  Input: 

e,  the  environment  action 

Output: 

snapshot  (y)j,  for  each  valuation  y  of  Ypp 

Variables:  Input: 

u  £  type(u),  for  all  u  £  Ypp, 

initially  u  £  type(u),  for  each  u  £  Ypp 

Internal: 

Discrete  Transitions: 

nouij  £  R-°,  initially  0 
next-snap  j  £  R-°,  initially  0 

e 

snapshot  (y)j 

Eff:  Ypp  :£  YPP 

Pre:  next-snap j  =  nowj 

y  is  current  valuation  of  YPP 

Eff:  Ypp  :€  Ypp 

next-snap  j  \=  nowj  +  d 

Trajectories: 

for  all  u  6  YPP 

u  assumes  arbitrary  values  in  type(u)  throughout  w 
next-snap ,•  is  constant  throughout  w 
for  all  t  6  Tj 

w(t).nowj  =  w(0).noiUj  +t 
w(t).nowj  <  w(t).next-snapj 


PP  automaton  has  no  input  variables  on  port  j,  for  all  j  £  J;  that  is,  the 
protectors  control  the  state  of  the  physical  plant  only  through  input  actions. 
A  consequence  of  this  assumption  is  that  the  environment  action  of  the  PP 
automaton  is  stuttering.  Moreover,  we  assume  that  the  PP  automaton  has  no 
output  actions  on  port  j,  for  all  j  £  J.  The  physical  plant  is  modeled  as  a  passive 
system  in  the  sense  that  the  protectors  observe  the  state  of  the  plant  only  through 
output  variables.  We  assume  that  there  exist  no-op  input  actions  on  port  j  for 
every  state  of  the  PP  automaton  in  the  set  R.  We  assume  that  membership  of  a 
state  of  the  PP  automaton  in  the  set  safePPRGj  is  determinable  from  the  output 
variables  of  the  PP  automaton,  i.e.,  the  set  safePP RG j  is  Ypp-  determinable. 
Moreover,  we  assume  that  for  any  state  in  the  set  safePPRG -,  an  appropriate 
action  to  guarantee  safety  can  be  determined  from  the  output  variables  of  the 
PP  automaton,  i.e.,  the  variables  in  Ypp.  For  any  valuation  y  of  the  output 
variables  Ypp  of  the  PP  automaton,  we  use  the  notation  y  £  safePPRGj  to 
denote  the  existence  of  a  state  p  £  safePP  RjG  j  such  that  p\YPP  =  y.  We  assume 
that  the  state  information  provided  by  the  output  variables  of  the  PP  automaton 
is  sufficient  to  determine  membership  of  any  state  of  the  PP  automaton  in  the 
sets  R  and  G,  i.e.,  the  sets  R  and  G  are  Ypp-determinable.  Moreover,  we  assume 
that  the  set  of  start  states  S  is  a  subset  of  the  set  safePP  R  G  -. 

The  protector  is  defined  as  the  composition  of  a  sensor  automaton  (Figure  1) 
and  a  discrete  controller  automaton  (Figure  2).  Both  the  sensor  and  the  discrete 
controller  are  described  abstractly  in  terms  of  PP,  S,  R,  G,  j,  and  d  and  are 
respectively  denoted  Sensor(PP,S,R,G,j,d)  and  DC(PP,S,R,G,j,d).  At  in¬ 
tervals  of  d  time  units,  the  sensor  automaton  samples  the  output  variables  of 
the  PP  automaton.  The  discrete  controller  automaton  is  rather  nondeterminis- 
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Fig.  2  DC{PP,S,R,G,j,d)  automaton  definition. 

Actions:  Input: 

e,  the  environment  action  (stuttering) 

Output: 

snapshot  (p)j,  for  each  valuation  y  of  Ypp 

7 r,  for  all  7 r  €  S'PPj 

Variables:  Internal: 

sendj  €  S'PP.  U  {null},  initially  null 

Discrete  Transitions: 

e 

snapshot  (y)j 

Eff:  None 

Eff:  if  y  £  safePP  R  Gj  then 

7 r 

sendj  ;£  p  £  E*pp.  | 

V  PiP*  6  R  such  that 

Pre:  sendj  =  ir 

P\ 'Ypp  =  V,P'  e  futurePP  ji  j  (p,  0), 

Eff:  sendj  :=  null 

and  p'  p", 

Trajectories: 

w. sendj  =  null 

it  is  the  case  that 

p"  €  delay-safePP  R  G  i  (d)} 

else 

sendj  Sxpp^ 

tic.  Based  on  the  output  state  information  of  the  PP  automaton  sampled  by  the 
sensor  automaton,  the  discrete  controller  automaton  issues  protective  actions  so 
as  to  guarantee  that  (i)  the  PP  automaton  remains  within  the  set  G  up  to  the 
next  sampling  point,  and  (ii)  the  state  of  the  PP  automaton  at  the  next  sam¬ 
pling  point  is  in  the  set  safePP  R  G j.  The  nondeterminism  in  the  description  of 
the  DC{PP,  S,  R,  G,  j,  d)  automaton  allows  the  freedom  to  choose  any  response 
that  satisfies  the  given  conditions  —  however,  in  a  discrete  controller  automaton 
implementation,  a  response  that  least  restricts  the  future  states  of  the  physical 
plant  automaton  PP  would  be  preferred  because  it  would  represent  a  weaker 
protective  action. 

Theorem  4.  Abs(PP,S,R,G,j,d)  guarantees  G  in  PP  from  S  given  R. 

The  correctness  proof  of  a  particular  protector  implementation  involves  defin¬ 
ing  the  particular  protector’s  specification  as  the  instantiation  of  the  abstract 
protector  for  particular  definitions  of  PP,  etc.  and  showing  that  the  particular 
protector  implementation  is  correct  with  respect  to  the  particular  instantiation 
of  the  abstract  protector.  The  first  step  simply  involves  specifying  the  parame¬ 
ters  PP,  etc.  The  second  step  is  simplified  by  choosing  the  protector  implemen¬ 
tation  to  be  the  composition  of  the  sensor  automaton  SensorfPP,  S,  R,  G,  j,  d) 
and  a  discrete  automaton  that  is  chosen  so  as  to  guarantee  the  effect  clause  of 
the  snapshot  (?/)j  action  in  DC{PP,S,R,G,j,d).  Thus,  the  correctness  proof  of 
the  implementation  is  reduced  to  a  simulation  from  the  implementation  of  the 
discrete  controller  automaton  to  its  specification. 
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5  Modeling  the  PRT  2000™ 

In  this  section,  we  present  a  model  for  a  simplified  version  of  the  PRT  2000™ 
whose  track  topology  involves  a  single  track.  The  model,  VEHICLES,  which  is 
presented  in  Figure  3,  is  a  HIOA  that  conforms  to  the  restrictions  and  assump¬ 
tions  made  about  the  PP  automaton  in  Sections  3  and  4.  It  involves  n  vehicles 
of  identical  dimensions  and  acceleration/deceleration  capabilities  traveling  on 
a  single  track.  Its  state  variables  include  the  position  aq,  the  velocity  £*,  and 
the  acceleration  it  of  each  vehicle  i  in  the  set  of  vehicles  I  and  several  other 
variables  that  record  whether  each  vehicle  has  collided  into  each  other  vehicle 
(i collided(i,i '),  for  i'  £  7,  i'  ^  i),  whether  each  vehicle  is  braking  (brake(i),  for 
i  £  I),  and  whether  each  protector  j  in  the  set  of  protectors  J  is  requesting 
each  particular  vehicle  to  brake  ( brake-req(i,j ),  for  i  £  I  and  j  £  J).  Several 
properties  of  the  physical  plant  are  enforced  by  restricting  the  states  of  the  VE¬ 
HICLES  automaton  to  the  set  VALID  (Appendix  A).  In  particular,  we  assume 
that  the  vehicles  occupy  non-overlapping  sections  of  the  track,  the  vehicles  are 
only  allowed  to  move  forward  on  the  track,  the  non-malfunctioning  vehicle  accel¬ 
eration/deceleration  capabilities  to  be  within  the  interval  [cmin,  cmax],  and  the 
non-malfunctioning  braking  deceleration  to  be  given  by  Cbrake ,  if  the  vehicle  is 
moving  forward,  and  0,  otherwise. 

The  formal  definitions  of  the  derived  variables  and  sets  of  the  VEHICLES  au¬ 
tomaton  are  shown  in  Appendix  A.  For  brevity,  we  only  give  informal  definitions 
of  the  key  derived  variables.  Each  of  the  variables  Ei,  for  i  £  I,  denotes  the  ex¬ 
tent  of  the  vehicle  i\  that  is,  the  section  of  the  track  occupied  by  the  vehicle  i. 
It  is  defined  as  the  section  of  track  ranging  from  the  position  of  the  rear  of  the 
vehicle  i  to  the  point  on  the  track  that  is  a  distance  of  c/en  downstream  of  the 
rear  of  the  vehicle  i  —  a  distance  that  specifies  the  minimum  allowable  separa¬ 
tion  between  vehicles,  i.e.,  Ei  =  [i,,  Xi  -f-  cjen],  for  i  £  I.  Each  of  the  variables 
Oj,  for  i  £  I,  denotes  the  section  of  the  track  that  the  vehicle  i  owns ;  that  is,  the 
range  extending  from  the  current  position  of  the  rear  of  the  vehicle  i  to  the  point 
on  the  track  that  the  vehicle  can  reach  even  if  it  is  braked  immediately.  Each 
of  the  variables  C*  (t) ,  for  i  £  I  and  t  £  E-° ,  denotes  the  section  of  the  track 
that  the  vehicle  i  claims  within  t  time  units;  that  is,  the  range  extending  from 
the  current  position  of  the  rear  of  the  vehicle  i  to  the  point  on  the  track  that 
the  vehicle  i  can  reach  if  it  is  braked  after  t  time  units  and  assuming  worst-case 
vehicle  behavior  up  to  the  point  in  time  when  it  is  braked.  Moreover,  each  of  the 
variables  collided(*,i,*),  for  i  £  I,  denotes  whether  the  vehicle  i  has  ever  been 
involved  in  a  collision.  Some  auxiliary  sets  for  the  vehicles  automaton  that  will 
be  used  in  the  following  sections  are  defined  in  Appendix  B. 

The  input  actions  of  the  vehicles  automaton  are  the  environment  action  e 
and  the  actions  brake(i) j  and  unbrake(?)j ,  for  i  £  I  and  j  £  J.  Since  the  VEHI¬ 
CLES  automaton  has  no  input  variables,  the  environment  action  e  is  stuttering. 
Each  of  the  actions  brake(i)j  and  unbrake(i)j,  for  i  £  I  and  j  £  J,  correspond 
to  actions  performed  by  the  protector  j  instructing  the  vehicle  i  to  apply  or  re¬ 
lease  its  “emergency”  brake,  respectively.  Each  brick-wall(i)  action,  for  i  £  I, 
models  the  instantaneous  stopping  of  the  vehicle  i  —  as  if  it  hit  a  brick  wall. 
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Fig.  3  The  vehicles  automaton. 

Actions:  Variables 

Input: 

Internal: 

e,  the  environment  action  (stuttering) 

Xi  £  R,  for  all  i  £  I,  initially  i;6R 

brake  (i)j,  for  all  i  £  7,  j  £  J 

brakefi)  £  Bool, 

unbrake  (i)j,  for  all  i  €  I,j  £  J 

for  all  i  £  I,  initially  False 

brake-req(i,  j)  £  Bool, 

for  all  i  £  I,j  £  J, 

initially  False 

Internal: 

Output: 

colliding-pair(i,i'), 

Xi  £  R,  for  all  i  £  I,  initially  ii£R 

for  all  i,  i'  £  7,  i!  ^  i 

ii  £  R,  for  all  i  £  7,  initially  Xi  6  R 

collision-effects(i),  for  all  i  £  7 

collided(i,  %')  £  Bool, 

brick-wall  (i),  for  all  i  £  7 

for  all  i,  i'  £  7,  i!  yf  i, 

initially  False 

subject  to  VALID 

Discrete  Transitions: 

e 

colliding-pair  (i,  i') 

Eff:  None 

Pre:  ->collided(i,i') 

A (Ei  n  Ei>  #  0) 

brake  (i)j 

A  (xi  <  min(Uj  fl  Ey)) 

Eff:  brake-req(i,  j)  :=  True 

Eff:  collided(i,  i')  :=  True 

if  -i brake(i)  then 

brake(i)  :=  True 

collision-ef  f  ects  (i) 

if  Xi  =  0  then  Xi  :=  0 

Pre:  collided(*,  i,  *) 

else  Xi  :—  Chrakc 

Eff:  Xi  :£  R^° 

unbrake  (»),• 

Xi  :£  R 

Eff:  brake-req(i,j)  :=  False 

if  brake(i) 

brick-wall  (i) 

A(i  Vtg;  brake-req(i,k)) 

Pre:  True 

then 

Eff:  Xi  :=  0 

brake(i)  :=  False 

if  brake(i)  then 

Xi  \Cmin-,  C-max\ 

x i  :=  0 

else 

Xi  [0,  Cmax ] 

Trajectories: 

for  all  i,i'  £  I,  i  i' ,  collided(i,i')  is  constant  throughout  w 

for  all  i  £  I  and  j  £  J,  brake(i)  and  brake-req(i,  j)  are  constant  throughout  w 

for  all  i,  i'  £  I,i  ^  i' 

the  function  w.Xi  is  integrable 

for  all  t  £  Tj 

w(t).ii  =  w(0).ii  +  f*w(s).Xi  ds 

w(t).Xi  =  tu(0).Xi  +  f*w(s).Xi  ds 

if  -i w.collided(i,i') 

A(w(t).E,  fl  w(t).Eii  0) 

A(w(t).Xi  <  mm(w(t).Ei  Ciw(t).Eii)) 

then 

t  =  w.ltime 

subject  to  VALID 
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Thereafter  however,  the  vehicle  i  is  allowed  to  reinitiate  forward  motion.  Each 
colliding-pair(i,  i')  action,  for  i,i'  g  I,  i  ^  i',  records  the  fact  that  the  vehi¬ 
cle  i  has  collided  into  the  vehicle  i'.  Since  the  trailing  vehicle  is  the  only  vehicle 
that  can  prevent  the  collision  through  braking,  a  collision  is  recorded  only  by 
the  trailing  vehicle  as  if  the  trailing  vehicle  were  the  only  vehicle  liable  for  the 
particular  collision.  Each  collision-eff  ects(i)  action,  for  i  g  I,  models  the 
adverse  effects  of  a  collision  involving  the  vehicle  i  and  may  be  executed,  even 
repeatedly,  at  any  instant  of  time  following  the  first  collision  involving  the  vehi¬ 
cle  i.  Thus,  the  malfunctioning  apparatus  of  any  vehicle  i,  for  i  6  I,  is  modeled 
by  succeeding  each  of  the  discrete  actions  with  a  collision-ef  f  ects(i)  action 
for  the  malfunctioning  vehicle. 

The  trajectories  of  the  vehicles  automaton  model  the  continuous  evolution 
of  the  state  of  the  VEHICLES  automaton.  If  during  a  trajectory  a  vehicle  i  collides 
into  a  vehicle  i'  for  the  first  time,  the  trajectory  is  stopped  so  that  the  collision 
can  be  recorded. 

6  Example  Overspeed  and  Collision  Avoidance  Protectors 

6.1  Example  1:  Overspeed  Protection  System 

In  this  section,  we  present  a  protector,  called  OS-PROT,  that  prevents  the  ve¬ 
hicles  of  the  VEHICLES  automaton  from  exceeding  a  prespecified  global  speed 
limit  cmax,  provided  that  they  do  not  collide  among  themselves.  The  protec¬ 
tor  OS-PROT  is  defined  to  be  the  composition  of  n  separate  copies  of  another 
protector  called  OS-PROT-sOLOj,  one  copy  for  each  vehicle  i  g  I.  Each  of  the 
OS-PROT-SOLOj  protectors,  for  i  g  /,  guarantees  that  the  vehicle  i,  does  not  ex¬ 
ceed  the  speed  limit  cmax ,  provided  that  no  collisions  among  any  of  the  vehicles 
occur.  The  braking  strategy  of  the  OS-PROT-SOLOi  protector  is  to  instruct  the 
vehicle  i  to  brake  if  it  is  capable  of  exceeding  the  speed  limit  cmax  within  the 
time  until  the  next  sampling  point. 

Let  PPi  be  the  VEHICLES  automaton  of  Figure  3,  the  port  ji  and  the  sam¬ 
pling  period  di  be  the  port  and  sampling  period  with  which  the  protector 
OS-PROT-SOLOi  communicates  with  the  vehicles  automaton,  the  set  Ri  be  the 
set  of  states  in  which  none  of  the  vehicles  have  ever  collided,  i.e.,  Ri  =  Pnot-coiuded 
(Appendix  B),  the  set  Gi  be  the  set  of  states  in  which  the  vehicle  i  is  at  or  below 
the  speed  limit,  i.e.,  Gi  =  VALID— Poverspeed^  (Appendix  B),  and  the  set  Si  be 
the  set  safePP.  R.  G.  j..  We  define  the  OS-PROT-SOLOi  automaton  to  be  the  com¬ 
position  of  Sensor(PPi,Si,Ri,Gi,ji,di )  and  the  discrete  controller  automaton 
of  Figure  4. 

Lemma  1.  The  protector  OS-PROT-SOLOi  guarantees  Gi  in  vehicles  starting 
from  Si  given  Ri. 

Corollary  1.  The  protector  OS-PROT  =  f]i  g  /  OS-PROT-SOLOi  for  the  vehi¬ 
cles  automaton  guarantees  fji  6  /  Gi  in  the  vehicles  automaton  starting  from 
Di  £  /  given  P not-collided • 

Corollary  1  follows  directly  from  Lemma  1  and  Theorem  2. 
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Fig.  4  Discrete  controller  automaton  for  the  protector  OS-PROT-SOLOj. 

Actions:  Input: 

e,  the  environment  action  (stuttering) 

snapshot  ( y)j ,  for  each  valuation  y  of  Vehicles 

Output: 

brake(i)j 

unbrake  (i)j 

Variables:  Internal: 

sendj  €  {brake,  unbrake,  null},  initially  null 

Discrete  Transitions: 

e 

brake  (i)j 

Eff:  None 

Pre:  sendj  =  brake 

Eff:  sendj  :=  null 

snapshot  ( y)j 

Eff:  if  (y.Xi  <  Cmax  —  dc 

■max')  then  unbrake  (i)j 

sendj  :=  unbrake 

Pre:  sendj  =  unbrake 

else 

Eff:  sendj  null 

sendj  :=  brake 

Trajectories: 

w. sendj  7  null 

6.2  Example  2:  Collision  Avoidance  on  a  Single  Track 

In  this  section,  we  present  a  protector,  called  CL-PROT,  that  prevents  the  vehicles 
of  the  VEHICLES  automaton  from  colliding  among  themselves,  provided  that  they 
are  all  abiding  by  the  speed  limit  cmax.  The  protector  CL-PROT  is  defined  to  be 
the  composition  of  n  separate  copies  of  another  protector  called  cl-prot-solo*, 
one  copy  for  each  vehicle  i  €  I.  Each  of  the  os-prot-solo,  protectors,  for  i  e  I, 
guarantees  that  the  vehicle  i  does  not  collide  into  any  of  the  vehicles  it  trails, 
provided  that  all  the  vehicles  in  the  VEHICLES  automaton  are  abiding  by  the 
speed  limit  and  that  all  other  vehicles  i'  e  7,  i'  ±  i,  do  not  collide  into  any  of 
the  vehicles  they  respectively  trail.  The  braking  strategy  of  the  cl-prot-solo* 
protector  is  to  instruct  the  vehicle  i  to  brake  if  it  has  a  d,  time  unit  claim  overlap 
with  any  of  the  vehicles  it  trails.  The  rationale  behind  this  braking  strategy  is 
that  a  collision  between  two  vehicles  in  the  vehicles  automaton  can  only  be 
prevented  by  instructing  the  trailing  vehicle  to  brake. 

Let  PPi  be  the  vehicles  automaton  of  Figure  3,  the  port  ji  and  the  sam¬ 
pling  period  dj  be  the  port  and  sampling  period  with  which  the  protector 
CL-PROT-sOLOj  communicates  with  the  vehicles  automaton,  and  the  set 
be  the  set  of  states  in  which  the  vehicle  i  has  not  collided  into  any  of  the  other 
vehicles,  i.e.,  G  =  VALID  —  Pcoiuded{i)  (Appendix  B).  Moreover,  let  the  set  Ri 
be  the  set  of  states  in  which  all  of  the  vehicles  are  abiding  by  the  speed  limit 
and  in  which  each  of  the  other  vehicles  has  never  collided  into  any  other  vehicle, 

i.e.,  Ri  =  Pnot-overspeed  f|  (fl  i'  g  Gv)  (Appendix  B),  and  the  set  Si  be  the 
set  safePp.  R.  Q.  j..  We  define  the  cl-prot-solo*  automaton  to  be  the  compo¬ 
sition  of  Sensor(PPi,  Si,Ri,Gi,ji,di)  and  the  discrete  controller  automaton  of 
Figure  5. 
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Fig.  5  Discrete  controller  automaton  for  the  protector  CL-PROT-SOLOj. 


Actions: 

Input: 

e,  the  environment  action  (stuttering) 

snapshot  (y)j,  for  each  valuation  y  of  Yvehicles 

Output: 

brake  (i)j 

unbrake  (i)j 

Variables: 

Internal: 

sendj  £  {brake,  unbrake,  null],  initially  null 

Discrete  Transitions: 


e 

EfF:  None 
snapshot  (y)j 

EfF:  if  3  i'  6  I,  i'  ^  i  such  that 

y  ^  disjoint-claimed-tracks(i,i' ,d) 
A(y.Xi  <  y.Xi>) 
then 

sendj  :=  brake 
else 

sendj  :=  unbrake 


brake  (i)j 

Pre:  sendj  —  brake 
EfF:  sendj  :=  null 

unbrake  (i)j 

Pre:  sendj  =  unbrake 
EfF:  sendj  :=  null 


Trajectories: 

w. sendj  =  null 


Lemma  2.  The  protector  CL-PROT-SOLOj  guarantees  Gi  in  VEHICLES  starting 
from  Si  given  Ri . 

Lemma  3.  The  protector  CL-PROT  =  fJi  e  /  CL-PROT-SOLOj  for  the  VEHICLES 
automaton  guarantees  flj  g  j  G*  in  the  VEHICLES  automaton  starting  from 
Ojg/  Si  given  Pnot-overspeed- 

Lemma  3  is  shown  by  combining  Lemma  2  and  Theorem  3  and  realizing  that 
the  second  condition  of  Theorem  3  does  not  hold. 

6.3  Example  3:  Collision  Avoidance  on  Merging  Tracks 

In  this  section,  we  present  a  protector,  called  MERGE-PROT,  that  guarantees 
that  none  of  the  n  vehicles  that  are  traveling  on  a  track  involving  a  Y-shaped 
merge  collide,  provided  that  they  are  all  abiding  by  the  speed  limit  cmax-  The 
MERGE-PROT  protector  is  defined  as  the  composition  of  n(n— 1) /2  separate  copies 
of  another  protector  called  MERGE-PROT- PAlR^j/},  one  copy  for  each  unordered 
pair  of  vehicles  {i,  i'},  where  i,i'  €  J,  i  i' ■  Each  of  these  MERGE-PROT- PAlR^j/} 
protectors,  for  i,  i'  6  /,  i  £  i',  guarantees  that  the  vehicles  i  and  i'  do  not  collide 
into  each  other,  provided  that  all  the  vehicles  are  abiding  by  the  speed  limit  and 
the  vehicles  of  all  other  vehicle  pairs  do  not  collide  between  themselves. 

We  augment  the  VEHICLES  automaton  to  involve  a  track  topology  consisting 
of  a  Y-shaped  merge.  This  is  done  by  replacing  the  position  component  of  a  ve¬ 
hicle’s  state  with  a  location  component  —  a  component  that  specifies  the  track 
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on  which  the  vehicle  is  traveling  and  the  vehicle’s  position  with  respect  to  the 
merge  point  —  and  update  the  definitions  of  the  discrete  steps  and  the  trajecto¬ 
ries  of  the  vehicles  automaton  to  handle  the  location  variables.  Furthermore, 
we  replace  the  brake  and  unbrake  input  actions  of  the  VEHICLES  automaton 
with  protect  input  actions  which  allow  single  protectors  to  instruct  sets  of  ve¬ 
hicles  to  apply  their  “emergency”  brakes.  Finally,  we  augment  the  definitions 
of  the  discrete  actions  pertaining  to  vehicle  collisions  such  that  the  blame  for  a 
particular  collision  is  assigned  to  either  only  the  trailing  vehicle,  if  one  vehicle 
collides  into  the  other  vehicle  from  behind,  or  both  vehicles,  if  the  vehicles  collide 
sideways  while  merging.  The  resulting  physical  plant  automaton  is  henceforth 
referred  to  as  merge- vehicles. 

Let  PP{i, v}  be  the  merge-vehicles  automaton.  Let  the  port  jy-i^y  and 
the  sampling  period  be  the  port  and  sampling  period  with  which  the 

protector  MERGE-PROT-PAIR/^.}  communicates  with  the  merge- vehicles  au¬ 
tomaton.  Let  be  the  set  of  states  in  which  the  vehicles  i  and  i'  have  not 

collided  into  each  other,  i.e.,  Gy^y  =  VALID  -  Pcoiiided(i,i')  ~  P 'coiiided(i' ,»)  (Ap¬ 
pendix  B).  Let  R{iti’}  be  the  set  of  states  of  the  merge- vehicles  automaton 
in  which  all  the  vehicles  are  abiding  by  the  speed  limit  and  in  which  the  vehi¬ 
cles  of  all  other  vehicle  pairs  have  not  collided  into  each  other,  i.e.,  Ryi^y  = 

Pnot-overspeed  fl  (fl  e  (Appendix  B).  Finally, 

let  £{»,»'}  be  the  set  safePP{ii,y,R{ii,y,G{iii,y,jiiyy- 

We  define  the  protector  MERGE-PROT-PAIR^,*/}  to  be  the  composition  of 

j{i,i'},dyitiiy)  and  a  discrete  controller  au¬ 
tomaton  whose  braking  strategy  is  as  follows.  The  discrete  controller  automaton 
is  allowed  to  brake  the  vehicles  i  and  i'  only  if  the  sections  of  the  track  they 
claim  in  time  dyiti>y  overlap.  Given  that  the  vehicles  i  and  i'  are  indeed  involved 
in  such  a  claim  overlap,  there  are  two  possible  scenarios  depending  on  whether 
the  locations  of  the  vehicles  i  and  i'  are  comparable,  or  not.  If  their  locations 
are  comparable,  then  the  vehicle  i  is  instructed  to  brake  if  it  trails  the  vehicle  i1; 
otherwise,  the  vehicle  i'  is  instructed  to  brake.  On  the  other  hand,  if  the  vehicle 
locations  are  not  comparable,  the  vehicle  i  is  instructed  to  brake  either  if  only 
the  vehicle  i'  owns  the  merge  point,  or  if  both  or  neither  vehicles  own  the  merge 
point  and  the  vehicle  i  is  traveling  on  the  left  branch  of  the  merge;  otherwise, 
the  vehicle  i'  is  instructed  to  brake.  In  the  latter  case,  we  choose  to  brake  the  ve¬ 
hicle  traveling  on  the  left  branch  for  no  particular  reason.  In  fact,  it  is  plausible 
to  brake  either  or  both  of  the  vehicles  involved  in  the  claim  overlap. 

Lemma  4.  The  protector  MERGE-PROT-PAIR^^*}  guarantees  that  the  MERGE- 
VEHICLES  automaton  remains  within  G^j  starting  from  Sy^iy  given  Ry^y. 

Lemma  5.  The  protector  MERGE-PROT  =  MERGE-PROT-PAIR^^} 

for  the  MERGE- vehicles  automaton  guarantees  fli  i>  g  /  i^v  &{%,*'}  merge- 
VEHICLES  starting  from  g  1  Qluen  P not-overspeed' 

Lemma  5  is  shown  by  combining  Lemma  4  and  Theorem  3  and  realizing  that 
the  second  condition  of  Theorem  3  does  not  hold. 
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6.4  Example  4:  Collision  Avoidance  on  a  General  Graph  of  Tracks 

In  this  section,  we  present  a  protector,  called  GRAPH-PROT,  that  guarantees 
that  none  of  the  n  vehicles  traveling  on  a  directed  graph  of  tracks  comprised 
of  Y-shaped  merges  and  diverges  collide,  provided  that  they  are  all  abiding  by 
the  speed  limit  cTOax.  As  in  Section  6.3,  the  graph-prot  protector  is  defined 
as  the  composition  of  n(n  -  l)/2  separate  copies  of  another  protector  called 
GRAPH-PROT- PAlR{iji/},  one  copy  for  each  unordered  pair  of  vehicles  {i,  i'}, 
where  i,i'  E  I,  i  ^  i' .  Each  of  the  GRAPH-PROT- PAIR^^-j  protectors,  for  i,  i'  e 
I,i  ^  i\  guarantees  that  the  vehicles  i  and  i'  do  not  collide  into  each  other, 
provided  that  all  the  vehicles  are  abiding  by  the  speed  limit  and  the  vehicles  of 
all  other  vehicle  pairs  do  not  collide  between  themselves. 

We  augment  the  merge-vehicles  automaton  to  involve  a  general  track 
topology  consisting  of  a  directed  graph  G  of  Y-shaped  merges  and  diverges. 
All  the  edges  of  the  graph  G  are  assumed  to  be  of  sufficient  length  to  rule  out 
collisions  among  vehicles  that  are  neither  on  identical,  nor  on  contiguous  edges 
and  all  cycles  of  the  graph  G  are  assumed  to  have  at  least  three  edges.  Moreover, 
in  order  to  brake  the  topological  symmetry  in  merge  situations,  we  associate  with 
each  edge  of  the  track  topology  a  unique  and  totally  ordered  priority  index.  The 
resulting  physical  plant  automaton  is  henceforth  referred  to  as  GRAPH- VEHICLES. 

Letting  PP^y,  #{*,,'},  3{i,i'}:  and  dyiti,y  be  as  defined  in  Sec¬ 

tion  6.3,  we  define  the  GRAPH-PROT- PAIR^^-j.  automaton  to  be  the  composition 
of  and  a  discrete  controller 

automaton  whose  braking  strategy  is  as  follows.  The  discrete  controller  automa¬ 
ton  is  allowed  to  brake  the  vehicles  i  and  i'  only  if  the  sections  of  the  track  they 
claim  in  d^^y  time  units  overlap.  Given  that  the  vehicles  i  and  V  are  indeed 
involved  in  such  a  claim  overlap,  there  are  two  possible  scenarios  depending  on 
whether  the  vehicles  i  and  i'  axe  traveling  in  succession,  or  on  adjacent  tracks.  If 
the  vehicles  are  traveling  in  succession,  then  the  vehicle  i  is  instructed  to  brake 
if  it  trails  the  vehicle  i'\  otherwise,  the  vehicle  i'  is  instructed  to  brake.  On  the 
other  hand,  if  the  vehicles  i  and  i'  are  traveling  on  adjacent  edges,  the  vehicle  i 
is  instructed  to  brake  either  if  only  the  vehicle  i'  owns  the  merge  point,  or  if 
both  or  neither  vehicles  own  the  merge  point  and  the  vehicle  i'  is  traveling  on 
the  edge  of  greater  priority;  otherwise,  the  vehicle  i'  is  instructed  to  brake. 

Lemma  6.  The  protector  GRAPH-PROT- PAIR^^}  guarantees  that  the  graph- 
vehicles  automaton  remains  within  G^y  starting  from  S^y  given  R^^y. 

Lemma  7.  The  protector  GRAPH-PROT  =  €  graph-prot- PAIR^^/} 

for  the  GRAPH- vehicles  automaton  guarantees  fj^j,  €  j  ^,  G^^y  in  GRAPH- 
VEHICLES  starting  from  ^  y  P \i,i! }  given  Pnot-overspeed ■ 

Lemma  7  is  shown  by  combining  Lemma  6  and  Theorem  3  and  realizing  that 
the  second  condition  of  Theorem  3  does  not  hold. 

6.5  Composing  the  Overspeed  and  Collision  Protectors 

In  the  previous  sections,  we  presented  example  protectors  whose  correct  oper¬ 
ation  required  that  the  physical  plant  automaton  at  hand  satisfied  particular 
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properties.  For  example,  in  the  case  of  the  vehicles  automaton  of  Section  5, 
the  overspeed  protector  OS-PROT  of  Section  6.1  assumes  that  none  of  the  vehicles 
collide  among  themselves  and  the  collision  protector  CL-PROT  of  Section  6.2  as¬ 
sumes  that  none  of  the  vehicles  exceed  the  speed  limit.  Using  Theorem  3  it  can  be 
shown  that  the  composition  os-prot  x  cl-prot  is  a  protector  for  the  VEHICLES 
automaton  that  guarantees  that  the  vehicles  in  the  vehicles  automaton  nei¬ 
ther  exceed  the  speed  limit,  nor  collide  among  themselves.  In  fact,  realizing  that 
the  os-prot  protector  extends,  virtually  unchanged,  to  the  merge- vehicles 
and  graph- vehicles  automata,  such  composition  results  extend  to  the  merge- 
vehicles  and  graph- vehicles  automata  by  composing  the  os-prot  protector 
with  the  merge-prot  and  GRAPH-PROT  protectors,  respectively. 

7  Conclusions 

In  this  paper,  we  demonstrate  how  formal  analysis  techniques  using  the  hybrid 
1/ 0  automaton  model  can  be  applied  to  the  specification  and  verification  of  hy¬ 
brid  systems  whose  structure  adheres  to  the  protection  subsystem  paradigm.  We 
propose  a  parameterized  abstract  protector  model  which  allows  simple  specifi¬ 
cation  of  an  abstract  protector  for  any  hybrid  system  of  this  form.  Such  spec¬ 
ification  is  obtained  by  defining  the  physical  system,  the  start  states,  the  sets 
of  guarantee  and  reliance,  and  the  port  and  sampling  period  with  which  the 
protector  communicates  with  the  physical  plant.  The  proof  of  correctness  of  the 
abstract  model  leads  to  simple  correctness  proofs  of  the  protector  implemen¬ 
tations  for  particular  instantiations  of  the  abstract  model.  Finally,  the  compo¬ 
sition  of  independent,  and  even  dependent  protectors  under  mild  conditions, 
guarantees  the  conjunction  of  the  safety  properties  guaranteed  by  the  individual 
protectors.  The  examples  presented  in  this  paper  show  that  the  proposed  for¬ 
mal  framework  provides  a  precise  and  succinct  protector  specification,  involves 
simple  and  straight  forward  proof  methodology,  and  scales  to  complex  hybrid 
systems  through  abstraction  and  modular  decomposition. 
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A  Derived  Variables  and  Sets  of  the  vehicles  Automaton 


Ei  €  V(R),  defined  by  Ei  =  [xi,  Xi  +  cun\- 

collided(i,  *)  €  Bool,  for  i  €  I,  defined  by  collided(i,  *)  =  \/;<  e  i,i'M  collided{i ,  i'). 
collided(*,  i)  £  Bool,  for  i  €  I,  defined  by  collidedl*,  i)  =  V,/  g  i,i'&  collided(i' ,i). 
collided (*,  i,  *)  £  Bool,  for  i  £  I,  defined  by  collided (*,  i,  *)  —  collided(*,  i)V collided(i,  *). 
VALID  C  states  (VEHICLES),  defined  by 
VALID  ={p  €  states(v ehicles)  | 

1.  $  i,i‘  e  I,i  /  i'  such  that  the  set  p.Ei  Dp.-EV  is  a  positive  length 
closed  interval  of  R. 

2.  p.±i  >  0,  for  all  i  £  I. 

3.  If  -i p.collidedi*,  i,  *)  then  p.x,  £  [cmin,Cmax]t  for  all  i  £  I. 

4.  If  -<p.collided(*,i,*)  Ap.brake(i)  then  if  p.ii  =  0  then  p.Xi  =  0 
else  p.Xi  =  csrakc,  for  all  i  £  I.  } 


stop-disf  £  R-°,  for  all  i  £  I,  defined  by 
stop-dist{  =  — 


2  C  b  ra  k  c 

max-rangeft)  £  R-°,  for  all  i  £  I  and  t  £  R-°,  defined  by 
XiAt  +  "^CmaxAt  4"  Cmaxit  At), 

where  At  =  min  (t,  Cma*~xi  'l 
max-rangeAt)  =  ,  \  7°*  i  % 

XiAt  +  \cbrahcAt2  +  Cmax(t  -  At), 

where  At  -  min  (t, 

V  ’  Cbrekc  ) 


if  Xi  ^  cmax ,  and 
otherwise. 


max-vek(t)  £  R-°,  for  alii  £  I  and  t  £  R-°,  defined  by 


max-veh(t)  - 


J  min (cmax,Xi  +  tc  max ) 
^max(cmax,  %i  tCbrake ) 


if  Xj  ^  C-maX) 

otherwise. 
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Oi  C  R,  for  all  i  £  I,  defined  by 
Oi  =  [Xi,Xi  +  stop-disti  +  Clen ] 

Ci(t)  C  R,  for  all  i  £  I  and  t  £  R-°,  defined  by 

Ci(t)  =  [xi,xi  +  max-range^t)  —  max-vek(t)2 /( 2ctrake)  +  c;en] 

B  Auxiliary  Sets  for  the  vehicles  Automaton 

Pover,peed(i)  C  VALID,  for  i  £  I,  defined  by 
Poverspeed(i)  ”  {P  €  VALID  {  p.Xi  >  Cmai} 

Poverspeed  C  VALID,  defined  by  Poverspeed  =  LJ;  o  /  Poverspeed(i)  • 

Pnot-overspeed  C  VALID,  defined  by  Pnot- overspeed  —  VALID  Poverspeed • 

PcoiUdedfai')  £  M4LID,  for  i,i'  €  J,  i  #  i',  defined  by 
Pcoiiidcd(iyi ')  =  {p  €  VALID  I  p.collided(i,i')  =  True} 

Pcollided(i )  £  VALID ,  defined  by  Pcollided(i)  =  Uj'  g  Pcoll\ded(iii1')’ 

P collided  £  VALID ,  defined  by  Pcollided  Ui  £  /  Pcollided(i)  LJ*,*/  £  ^collided(tiyi,)m 
Pnot-colUded  C  VALID,  defined  by  Pnot-collided  —  VALID  —  Pcollided- 
disjoint- extents(i,i')  C  VALID,  for  i,  i'  £  I,i  i' ,  defined  by 

disjoint-  extents(i,  i')  =  {p£  VALID  |  p.Ui  Hp-E^  =  0} 

Pe  C  VALID,  defined  by 

n  disjoint- extents{i,  i') 

disjoint-owned-tracks(i,i')  C  VALID,  for  i,i'  £  I,  i  ^  i' ,  defined  by 

disjoint- owned-tracks(i,i')  =  {p  £  VALID  |  p.Oi  Dp.Oj/  =  0} 

Po  C  VALID,  defined  by 

Po  =  P)  disjoint-owned-tracks(i,i') 
i,i 1  € 

disjoint-claimed-tracks(i,i' ,t)  C  VALID,  for  i,i'  £  I,i  ^  i',  and  f  £  R-°,  defined  by 
disjoint- claimed- tracks(i,  i' ,  t)  =  {p  £  VALID  \  p.Ci(t)  D  p-Cp  ( t )  =  0} 

Pc(t)  C  VALID,  for  f  €  R^°,  defined  by 

pc(t)  =  n  disjoint-claimed-tracks(i,  i ,  t) 

iyi'  €  I 

PBij  C  VALID,  defined  by 

PBij  =  {p  G  VALID  |  p.brake-req(i,  j)  =  True} 
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Abstract.  Motivated  by  our  work  on  Automated  Highway  Systems 
(AHS),  we  consider  a  physical  system,  the  string  of  vehicles  and  con¬ 
struct  a  natural  model  for  it  in  the  Hybrid  Input/Output  Automaton 
formalism.  We  describe  a  special  maneuver  that  may  have  to  be  exe¬ 
cuted  by  the  system,  the  emergency  deceleration  maneuver,  and  derive 
necessary  and  sufficient  conditions  on  the  system  parameters  under  which 
this  maneuver  can  be  executed  in  safety.  We  conclude  by  giving  a  brief 
discussion  of  the  implications  of  our  results  for  the  design  of  an  AHS 
that  allows  the  formation  of  platoons  of  vehicles. 


1  Introduction 

Hybrid  systems  have  attracted  the  attention  of  both  computer  theorists  and 
control  engineers.  Our  work  ultimately  aims  at  a  rapprochement  of  these  two 
perspectives.  Here  we  use  a  combination  of  techniques  from  the  two  areas  to 
address  a  specific  problem  in  transportation.  This  is  the  problem  of  the  safety  of 
a  collection  of  vehicles  traveling  one  behind  the  other  in  a  single  lane;  we  refer 
to  such  a  collection  as  a  string  of  vehicles.  The  problem  is  hybrid  as  it  involves 
both  continuous  vehicle  motion  and  (possibly)  collisions,  which  in  our  setting 
are  treated  as  discrete  velocity  changes.  We  try  to  establish  conditions  under 
which  a  string  of  vehicles  will  be  safe  while  executing  a  particular  maneuver. 

We  start  by  developing  a  detailed  model  for  the  system  in  the  Hybrid  In¬ 
put/Output  Automaton  modeling  framework  (Section  2).  Modest  extensions  of 
the  original  framework  of  [1]  are  needed  to  capture  all  the  phenomena  of  interest 
for  this  problem.  Then,  in  Section  3  we  introduce  the  emergency  deceleration 

*  Research  supported  by  California  PATH  under  MOU-238  and  MOU  288,  ARPA 
contract  F19628-95-C-0118,  AFOSR  contract  F49620-97-1-0337,  AFOSR  contract 
F49620-94-1-0199  and  the  U.S.  Department  of  Transportation  DTRS95G-0001. 
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maneuver,  whose  safety  analysis  is  the  primary  focus  of  this  paper.  We  give  some 
necessary  and  some  sufficient  conditions  under  which  the  safety  of  the  maneu¬ 
ver  can  be  guaranteed.  Finally,  in  Section  4,  we  discuss  the  implications  of  our 
results  in  the  context  of  platooning  of  vehicles. 

We  believe  our  work  is  potentially  of  both  theoretical  and  practical  impor¬ 
tance.  On  the  theoretical  side  we  hope  that  the  results  presented  here  will  be 
extended  to  a  general  methodology  for  dealing  with  hybrid  systems,  one  where 
continuous  and  discrete  techniques  are  combined  in  a  coherent  framework.  The 
practical  implications  of  our  work  are  more  immediate.  Our  results  indicate  that 
the  design  of  specialized  emergency  maneuvers  may  be  crucial  to  the  success  of 
an  automated  highway  system  that  allows  for  the  formation  of  platoons. 

2  Vehicle  String  Model 

2.1  Overview  of  the  Modeling  Formalism 

Based  on  the  work  of  [1],  we  consider  a  hybrid  automaton,  A,  as  a  dynami¬ 
cal  system  that  describes  the  evolution  of  a  finite  collection  of  variables,  Va- 
Variables  are  typed;  for  each  v  €  Va  let  type(v)  denote  the  type  of  v.  For  each 
Z  C  Va,  a  valuation  of  Z  is  a  function  that  to  each  v  £  Z  assigns  a  value  in 
type(v).  Let  Z  denote  the  set  of  valuations  of  Z ;  we  refer  to  s  e  as  a  system 
state.  In  this  paper  we  assume  that  the  evolution  of  the  variables  is  over  the  set 
T-°  =  {t  6  M|f  >  0}.  The  evolution  of  the  variables  involves  both  continuous 
and  discrete  dynamics.  Continuous  dynamics  are  encoded  in  terms  of  trajectories 
over  Va,  that  is  functions  that  map  intervals  of  T-°  to  V^.  Discrete  dynamics 
are  encoded  by  actions.  Upon  the  occurrence  of  an  action  the  system  state  in¬ 
stantaneously  “jumps”  to  a  new  value.  We  use  Ea  to  denote  the  set  of  actions 
that  affect  the  evolution  of  A. 

More  formally,  a  hybrid  automaton,  A  is  a  collection  (Ua,  Xa,  Ya,  E™,  E™% , 
XjV1,  ©a,  a,  WA)  consisting  of: 

—  Three  disjoint  sets  Ua,  Xa,  and  Ya  of  variables,  called  input,  internal,  and 
output  variables,  respectively.  We  set  Va  =  Ua  U  Xa  U  Ya- 

—  Three  disjoint  sets  E™,  E™*,  and  E™1  of  actions,  called  input,  internal,  and 
output  actions,  respectively.  We  set  Ea  =  E™  U  E™*  U  E™*- 

—  A  non-empty  set  ©a  C  of  initial  states. 

—  A  set  Va  Q  Va  x  Ea  x  of  discrete  transitions. 

—  A  set  Wa  of  trajectories  over  Va  ■ 

Some  technical  axioms  are  imposed  on  the  above  sets  to  guarantee  that  the 
definitions  are  consistent.  The  axioms  introduced  in  [1]  are  too  restrictive  for 
the  application  considered  here;  fortunately  the  extensions  needed  are  fairly 
straightforward. 

An  execution,  a,  of  A  is  an  alternating  sequence  a  =  woa\Wia2W2  •  •  •,  finite 
or  infinite,  where  for  all  i,  a{  €  Ea,  w%  6  Wa  defined  over  a  left  closed  time 
interval  and  fstate(uio)  £  ©a-  In  addition,  if  a  is  a  finite  sequence  then  it  ends 
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with  a  trajectory  and  if  w,  is  not  the  last  trajectory  its  domain  is  right-closed 
and  (lstate(wi),ai+i,fstate(wi+i))  £  T>a-  Here  fstate(w)  and  Istate(w)  denote 
the  initial  and  final  states  of  a  trajectory  w.  An  execution  is  called  finite  if  it  is 
a  finite  sequence  and  the  domain  of  its  final  trajectory  is  a  right-closed  interval. 
A  state  s  €  VA  is  called  reachable  if  it  is  the  last  state  of  a  finite  execution. 

Hybrid  automata  “communicate”  through  shared  variables  and  shared  ac¬ 
tions.  Consider  two  automata  A  and  B  with  Xa  fl  Vj?  =  Xb  C\Va  =  Yb  fl  Ya  =  0 
and  Eff'  fl  Ea  =  Eff'  C\  Eb  =  E™*  D  E0^  =  0.  Under  some  mild  techni¬ 
cal  assumptions,  the  composition,  Ax  B,  of  A  and  B  can  be  defined  as  a  new 
hybrid  automaton  with  Uaxb  =  ( Ua  U  Ub)  \  (Fa  U  Yb),  Xaxb  =  XA  U  Xb, 
Yaxb  =  Ya  U  Yb  and  similarly  for  the  actions.  ©axB,  P>AxB  and  Waab  are 
such  that  the  executions  of  AxB  are  also  executions  of  each  automaton  when 
restricted  to  the  corresponding  variables  and  actions. 

A  derived  variable  of  A  is  a  function  on  V^.  Derived  variables  will  be  used 
to  simplify  the  system  description,  but  also  to  facilitate  the  analysis.  A  property 
of  A  is  a  boolean  derived  variable.  A  property  is  stable  if  whenever  it  is  true  at 
some  state  it  is  also  true  at  all  states  reachable  from  that  state.  A  property  is 
invariant  if  it  is  true  at  all  reachable  states.  Typically  properties  will  be  shown 
to  be  stable  or  invariant  by  an  induction  argument  on  the  length  of  an  execution. 
It  is  easy  to  show  that: 

Lemma  1  Assume  that  for  all  reachable  states  s  of  A,  P  true  at  s  implies  P  true 
at  s'  for  all  s'  such  that  either  there  exists  w  £  Wa  with  right  closed  domain  and 
fstate(w)  =  s  and  lstate(w)  =  s',  or,  there  exists  a  £  Ea  with  ( s,a,s ')  £  T>a- 
Then  P  is  a  stable  property.  If  further  P  is  true  at  all  s  £  ©a,  then  P  is  an 
invariant  property. 

In  some  places  differential  equations  will  be  used  to  simplify  the  description 
of  the  set  Wa-  In  such  cases  Wa  is  assumed  to  be  populated  by  all  trajec¬ 
tories  generated  by  the  differential  equation  in  the  usual  way.  To  simplify  the 
description  of  T>a,  we  will  assign  a  precondition  and  an  effect  to  each  action.  The 
precondition  is  a  predicate  on  while  the  effect  is  a  predicate  on  xV^. 
The  action  can  take  place  only  from  states  that  satisfy  the  precondition;  more¬ 
over,  the  states  before  and  after  the  transition  should  be  such  that  the  effect  is 
satisfied.  When  no  confusion  can  arise  we  use  v'  to  denote  the  value  of  variable 
v  after  an  action. 


2.2  String  Model 

Consider  a  string  of  N  vehicles  (Figure  1)  moving  one  behind  the  other  in  a  single 
lane,  with  vehicle  0  coming  first.  The  overall  model  will  be  the  composition 
of  a  number  of  automata  (Figure  2).  The  plant  will  be  a  hybrid  automaton 
containing  the  dynamics  of  all  the  vehicles  in  the  string.  Each  vehicle  is  equipped 
with  sensors  and  controllers.  The  sensor  automaton  Si  reads  the  values  of  the 
plant  output  variables  as  inputs  and  produces  real  valued  output  variables.  The 
controller  automaton,  Ci,  reads  the  corresponding  sensor  output  variables  and 
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Fig.  1.  A  string  of  vehicles 
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uses  them  to  generate  the  input  variables  of  the  plant.  The  Si  and  C\  may 
have  internal  variables  and  actions.  In  this  paper  we  assume  that  the  sensor 
and  controller  automata  are  simple  input /output  maps  and  concentrate  on  the 
development  of  a  realistic  plant  model. 

The  plant  is  modeled  by  an  automaton  P  =  (Up,  Xp,  Yp,  Elp,  Ejp*,  Up1*, 
Qp,  Up,  Wp).  P  has  no  input  and  no  output  actions,  hence  E™  =  E0^  =  0. 
Here  we  are  only  interested  in  answering  questions  of  “safety” ,  encoded  in  terms 
of  possible  collisions  among  the  vehicles  of  the  string.  The  answers  to  these  ques¬ 
tions  will  depend  on  the  relative  spacing  and  the  velocities  of  the  vehicles,  but 
not  their  absolute  position  on  the  road.  Let  Axi  denote  the  spacing  between 
vehicle  i  and  i  —  1,  Vi  the  speed  of  vehicle  i,  acci  its  acceleration  and  ut  its  com¬ 
manded  acceleration2  and  define  x ,  =  [Axt  v^]  6  E2 ,  x  =  [zo  •  •  •  £w-i]  £  E2JV 
and  u  =  [w0  ...  -u pv— i]  £  E^.  Also  consider  a  collection  of  boolean  variables 
Touching  =  {Touchingx, . . .  Touching  N_  j};  the  evolution  of  these  variables  (Sec¬ 
tion  2.2)  will  be  such  that  Touchingi  is  true  whenever  vehicle  i  is  touching  vehicle 
i  —  1.  Define  the  internal  and  input  variables  as  Xp  =  {x,acc,  Touching }  and 
Up  =  {w}  respectively.  Physical  limitations  constrain  the  valuations  of  the  input 
variables  to  lie  in  a  rectangular  compact  set,  i.e.  Ui(t)  £  [a™m,a™ax]  for  all  i 
and  for  all  t.  The  values  of  af11”  and  a™01  are  determined  by  the  vehicle  char¬ 
acteristics  (engine,  brakes,  tires,  etc.).  To  ensure  that  the  model  is  realistic  we 
impose  the  following  assumption  on  Op  and  the  input  constraints. 

Assumption  1  For  all  i,  Axi( 0)  >  0,  'Uj(O)  >  0,  Touching j(0)  =  False  and 

amin  <Q<  amax 


Discrete  Dynamics  The  continuous  system  evolution  can  be  interrupted  by 
three  classes  of  internal  actions:  collisions,  vehicles  touching  with  zero  relative 
velocity  (and  subsequently  “pushing”  against  one  another)  and  vehicles  moving 
apart  (after  having  touched).  We  assume  that  the  continuous  evolution  stops 
as  soon  as  the  precondition  of  an  action  becomes  true,  to  allow  the  action  to 
take  place.  All  variables  not  explicitly  mentioned  in  the  effect  are  assumed  to  be 
unaffected  by  the  action. 

2  As  discussed  in  Section  2.2,  the  commanded  and  actual  acceleration  may  differ  when 
vehicles  are  touching  and  pushing  each  other. 
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Fig.  2.  System  modules 


Consider  first  the  case  of  collisions.  Let  Collisioni  be  an  internal  action  that 
takes  place  whenever  vehicle  i  collides  with  vehicle  i  —  1.  The  precondition  for 
Collisioni  is: 

{Axi  =  0)  A  ( Vi  >  Vi-i)  (1) 

To  determine  the  effect  of  the  action  we  use  a  simple  collision  model.  To  deter¬ 
mine  Vi  and  Vi-i  after  the  collision  we  solve  a  pair  of  equations: 

Miv'i  +  Mi-iv^  =  MiVi  +  (2) 

vi-i  ~v'i  =  (vi  ~  Vi-i)ati  (3) 

where  Mj  is  the  mass  of  vehicle  i  and  a,  is  the  coefficient  of  restitution,  a 
measure  of  the  energy  lost  in  the  collision.  Equation  (2)  is  the  conservation  of 
momentum  equation  while  Equation  (3)  is  referred  to  as  the  restitution  equation. 
By  appropriate  choice  of  a  (possibly  as  a  function  of  the  speeds)  this  collision 
model  can  capture  a  wide  range  of  collision  scenarios.  To  maintain  a  certain 
level  of  generality  in  the  subsequent  discussion  we  will  typically  assume  that  the 
coefficient  of  restitution  is  a  function  of  the  relative  velocity  r>j_i  —  V{  at  impact 
and  will  denote  it  by  a»(-).  To  ensure  that  the  model  is  realistic  we  impose  the 
following  assumption: 

Assumption  2  For  all  i,  Mi  >  0  and  a,(n)  €  [0, 1]  for  all  v  >  0. 

Note  that  in  general  vehicles  may  end  up  going  backwards  as  a  result  of  collisions 
if,  for  example,  a  light  vehicle  elastically  hits  a  slowly  moving  heavy  vehicle  (i.e. 
Mi  <  Mi- 1,  a*  «  1  and  Uj_i  w  0). 

Multiple  instantaneous  collisions  are  also  possible  in  this  setting.  These  are 
situations  where  there  exist  Ni  and  N2  with  0  <  N\  <  N2  <  N  such  that 
Axn1  7^  0,  Axn2+ i  0  (if  any)  and  for  all  i  with  Ni  <  i  <  N2,  Axt  =  0 
and  Vi  >  Vi-i.  The  value,  x1,  of  the  state  after  the  collision  again  satisfies 
Ax'i  =  Axi  for  all  i  and  v[  =  V{  for  all  i  <  Ni  or  i  >  N2.  To  determine  the 
values  of  u;  for  Ni  <  i  <  N2  we  resolve  the  multiple  collision  as  a  sequence  of 
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pairwise  collisions,  according  to  equations  (2)  and  (3).  The  pairwise  resolutions 
will  keep  taking  place  as  long  as  there  exists  a  j  with  Ni  <  j  <  N2  such  that 
Vj  >  Vj-i .  When  this  condition  is  violated  we  will  say  that  the  multiple  collision 
has  been  resolved.  It  turns  out  that,  if  the  masses  of  the  vehicles  are  unequal  or 
the  restitution  coefficients  Qj  are  not  identically  equal  to  1,  one  can  construct 
scenarios  where  the  velocities  of  the  vehicles  after  the  multiple  collision  has  been 
resolved  depend  on  the  order  in  which  the  pairwise  resolutions  were  executed. 
To  circumvent  this  problem  we  state  our  theorems  and  proofs  in  a  way  that  the 
results  hold  for  all  possible  orderings  of  the  pairwise  resolutions. 

Next,  let  Touchi  be  an  internal  action  that  takes  place  whenever  vehicle  i 
touches  vehicle  i  -  1  with  zero  relative  velocity.  The  precondition  for  Touchi  is: 

( Touchinpi  =  False)  A  {Axi  =  0)  A  (uj  =  Uj_i)  A  (acc*  >  acci_i)  (4) 

The  effect  of  Touchi  is  to  declare  the  two  vehicles  as  touching,  i.e.  Touching '  = 
True. 

Finally,  consider  what  happens  when  vehicles  that  are  touching  start  moving 
away  from  one  another.  Let  Separate^  be  an  internal  action  that  takes  place 
whenever  vehicle  i  is  already  touching  vehicle  i  —  1  and  starts  to  move  away.  The 
precondition  for  Separatti  is: 

( Touchinpi  =  True)  A  {{acci  <  acci-i)  V  (vi  <  n,_i)]  (5) 

The  effect  of  Separatei  is  to  declare  the  two  vehicles  as  no  longer  touching,  i.e. 
Touching^  =  False. 


Continuous  Dynamics  The  set  of  trajectories  Wp  will  be  generated  by  a 
dynamical  system.  Assume  there  are  no  vehicles  ahead  of  the  string  and  set 
Ax o  =  oo.  Then,  for  i  =  1, . . . ,  N  —  1  the  laws  of  motion  imply  that: 

Axi(t)  =  Vi-i(t)  -  Vi{t) 

Vi{t)  =  acci(t ) 

The  value  of  the  actual  acceleration,  accj,  of  vehicle  i  depends  on  the  acceleration 
commanded  by  the  controller  of  that  vehicle,  Ui,  and  on  whether  the  vehicle 
is  touching  vehicle  i  -  1  or  vehicle  i  +  1.  In  the  case  when  the  vehicles  are 
not  touching  we  simply  set  the  actual  acceleration  equal  to  the  commanded 
acceleration.  The  case  where  vehicles  are  touching  is  more  complicated.  The 
reason  is  that  when  vehicles  are  pushing  against  one  another,  there  are  forces 
exerted  from  one  vehicle  to  the  other.  Therefore,  the  actual  acceleration  of  a 
vehicle  depends  not  only  on  the  acceleration  commanded  by  its  own  controller, 
but  also  on  the  accelerations  commanded  by  the  controllers  of  the  neighboring 
vehicles  that  are  pushing  against  it. 

To  resolve  this  issue  we  first  introduce  some  abstract  definitions.  Consider 
a  nonempty  finite  subset  of  the  natural  numbers  S  C  N.  S  is  a  segment  if  it 
consists  of  consecutive  numbers.  A  subsegment  of  a  segment  S  is  any  subset  of 
S  that  is  also  a  segment.  For  segments  Si  and  S2  with  min(52)  =  max(S'i)  +  1 
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we  define  their  concatenation  (denoted  by  S1S2)  as  the  segment  Si  U  S2.  A 
weighted  average  function  on  S  is  any  function  a  :  2s  — >  R  such  that  for  all  L,  R 
subsegments  of  S: 

min {a(L),a(R)}  <  a(LR)  <  max{a(L),  a(R)}  (6) 

whenever  the  concatenation  LR  is  defined.  A  segment  S  with  a  weighted  average 
function  a  is  unsplitable  if: 


S  =  LR  =$■  a(L )  <  a(R) 


A  partition  of  S  is  a  finite  collection  Si, . . . ,  Sn  where  S  =  U^=1Sfc  and  for  all 
fc,  Sk  is  a  segment  and  S*  fl  S;  =  0  for  l  ^  k.  Without  loss  of  generality  assume 
that  min(S)  =  min(Si)  and  for  all  1  <  k  <  n,  min(Sjt)  =  max(Sfc_i)  +  1  and 
write  S  =  S1S2  . . .  Sn.  A  partition  of  Si ...  Sn  of  S  is  called  a  maximal  partition 
if  for  all  A:  =  1, . . . ,  n,  Sk  is  unsplitable  and  either  n  =  1  or  for  all  k  =  2, . . . ,  n, 
a(Sk-i)  >  a(Sfc). 

Theorem  1  For  every  segment,  S,  and  every  weighted  average  function,  a,  on 
S  there  exists  a  unique  maximal  partition. 

Though  interesting,  the  proof  of  Theorem  1  is  omitted  here  as  it  is  not  necessary 
for  the  safety  results.  An  algorithm  to  construct  the  maximal  partition  has  also 
been  developed. 

Intuitively  (returning  to  the  vehicle  example)  a  maximal  partition  is  such 
that  vehicles  in  an  element  of  the  partition  are  pushing  against  one  another 
while  vehicles  in  different  elements  of  the  partition  are  moving  away  from  one 
another.  Assume  there  exist  i,j  with  0  <  i  <  j  <  N  such  that  vehicles  i  to  j 
are  touching  each  other.  Define  the  segment  S  =  {i, . . .  ,j}  and  for  every  subset 
S'  C  S  consider  the  function: 


a(S') 


dikes'  AffcUfc 
Si fees'  Mk 


(7) 


One  can  show  that  a  is  a  weighted  average  function  on  S.  To  determine  the 
acceleration  of  the  vehicles  in  this  collection  at  a  given  instant,  let  Si . . .  Sn  be 
the  maximal  partition  of  S  at  that  instant  and  for  all  k  =  1, . . . ,  n  set: 


acci  =  a(Sk)  for  all  l  G  Sk  (8) 

If  one  assumes  that  the  force  exerted  on  a  vehicle  by  the  road  depends  only 
on  the  commanded  acceleration  of  that  vehicle  (and  not  on  whether  the  vehi¬ 
cle  is  touching  other  vehicles),  then  this  choice  is  what  one  would  expect  from 
physical  intuition.  The  total  force  commanded  by  all  the  vehicles  determines  the 
acceleration  of  their  combined  mass. 


280 


2.3  Output  Evolution 

The  output  evolution  is  determined  as  a  function  of  the  evolution  of  the  inputs 
and  states.  We  assume  that  in  principle  all  the  internal  variables  can  be  made 
available  to  the  controllers.  Limitations  imposed  by  current  sensing  and  com¬ 
munication  technology  should  be  incorporated  in  the  sensor  automata.  There¬ 
fore  the  information  made  available  by  vehicle  i  is  yf(t)  —  [xi(t)  acci(t')\.  Let 
yP  =  [yQ  ... €  R3N  and  define  the  output  variables  as  Yp  =  {yp}. 


2.4  Model  Consistency  &  Safety  Requirements 

The  following  lemma  suggests  the  proposed  plant  model  agrees  with  basic  phys¬ 
ical  intuition: 

Lemma  2  The  plant  automaton  is  such  that: 

1.  If  E  and  E'  are  the  kinetic  energy  before  and  after  Collision^,  then  E'  <  E . 

2.  A^q1  [Axi  >  0]  is  an  invariant  property  of  the  plant. 

3.  A^1  [(Touchingi  =  True)  =>  (Axt  =  0)]  is  an  invariant  property  of  the  plant. 
The  kinetic  energy  of  the  string  is  defined  as: 


The  first  property  shows  that  (as  expected)  no  energy  is  generated  as  a  result  of 
the  collisions.  The  second  property  shows  that  the  model  does  not  allow  vehicles 
to  run  over  one  another  (a  physical  impossibility).  The  last  property  shows  that 
vehicles  are  declared  as  touching  by  the  model  only  when  they  are  physically 
touching. 

We  are  interested  in  defining  the  system  performance  in  terms  of  the  severity 
of  the  collisions  experienced  by  the  vehicles.  Following  [2],  we  assume  that  a 
collision  is  safe  if  the  relative  velocity  at  impact  is  below  a  certain  threshold,  va- 
A  commonly  cited  threshold  is  va  =  Sms-1  [2]. 

Definition  1  A  string  is  safe  if  [( Axi  =  0)  =>  (vi  <  Vj_i  +  va)}  is  an  in¬ 

variant  property. 

The  main  limitation  of  our  model  is  that  is  does  not  account  for  the  lateral 
motion  of  the  vehicles.  We  assume  that  all  vehicles  effectively  move  along  a 
straight  line.  This  assumption  may  be  unrealistic,  especially  in  the  presence 
of  collisions  when  large  forces  and  moments  can  be  exerted  from  one  vehicle  to 
another.  The  situation  will  be  even  worse  when  the  vehicles  move  along  a  curved 
road. 
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3  Safety  Conditions  for  Emergency  Deceleration 

3 . 1  Background 

The  emergency  deceleration  maneuver  is  a  situation  where  the  first  vehicle  in  the 
string  applies  maximum  deceleration  until  it  comes  to  a  stop,  thus  endangering 
the  remaining  vehicles  of  the  string.  It  is  assumed  that  the  emergency  deceler¬ 
ation  of  vehicle  0  is  caused  by  some  abnormal  condition,  such  as  a  mechanical 
malfunction  or  an  obstacle.  We  would  like  to  determine  the  conditions  under 
which  the  remaining  vehicles  can  maintain  their  safety  despite  this  “malicious” 
behavior  of  the  leader. 

The  safety  of  general  strings  of  vehicles  has  been  analyzed  using  a  number  of 
techniques.  Most  results  in  the  literature  start  by  partly  characterizing  the  string 
by  determining  “automata”  for  the  sensors  and  controllers  and  then  trying  to 
establish  the  range  of  initial  conditions  and  parameters  for  which  the  string  is 
safe.  This  type  of  analysis  has  led  to  conditions  under  which  pairs  of  vehicles  are 
guaranteed  not  to  collide  [3,  4]  or  experience  safe  collisions  [4,  5].  In  some  cases 
the  conditions  have  also  been  extended  to  longer  or  even  infinite  strings  [6,  7]. 

Perhaps  the  most  challenging  problem  in  this  area  has  been  the  design  of 
controllers  for  platoons  of  vehicles.  A  platoon  is  a  string  of  very  tightly  spaced 
vehicles.  Typically  intra-platoon  spacings  are  of  the  order  of  1-2  meters.  The 
safety  of  the  intra-platoon  controllers  [6]  relies  on  the  assumption  that  the  be¬ 
havior  of  the  first  vehicle  is  in  some  sense  “reasonable”.  This  means  that  the 
controller  Co  takes  into  account  the  limitations  of  the  rest  of  the  vehicles  in  the 
string  when  calculating  u0.  This  requirement  is  clearly  violated  in  the  case  of 
the  emergency  deceleration  maneuver.  It  is  conjectured  however  that  the  platoon 
is  going  to  be  safe  even  in  this  case  [8].  The  justification  is  that  collisions  are 
going  to  take  place  in  rapid  succession,  because  the  vehicles  are  all  close  to  one 
another.  Therefore,  if  the  speeds  of  all  vehicles  are  initially  the  same,  the  relative 
velocity  at  the  time  of  collision  is  going  to  be  small.  We  attempt  to  establish 
conditions  under  which  this  conjecture  is  true. 

The  safety  of  the  string  under  an  emergency  deceleration  maneuver  depends 
on  the  response  of  the  remaining  vehicles  of  the  string  to  the  deceleration  of  the 
leader.  Here  we  consider  a  very  simple  default  deceleration  strategy.  Assume  that 
at  time  t  =  0  the  leading  vehicle  applies  maximum  deceleration,  a™",  until  it 
stops  at  which  point  its  commanded  acceleration  becomes  0.  After  a  delay  di 
vehicle  i  also  applies  af1171  until  it  comes  to  a  stop.  This  scenario  can  be  easily 
encoded  in  the  model  discussed  above  by  simple  sensor  and  controller  automata. 
The  results  discussed  here  refer  to  the  case  di  =  0;  some  of  them  directly  extend 
to  the  more  general  case. 

3.2  Safety  Conditions  For  Strings  of  Length  N=2 

We  first  develop  conditions  for  a  string  of  two  vehicles  to  be  safe  under  the  default 
deceleration  strategy.  These  conditions  will  form  the  basis  of  safety  results  for 
longer  strings.  We  refer  to  a  two  vehicle  string  as  a  pair.  One  can  easily  show 
that: 
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Proposition  1  ( vo  >  0)  and  (vi  <  0)  are  stable  properties  for  a  pair.  If  ( rq  <  0) 
the  pair  is  safe  (in  particular  Collisionx  cannot  occur). 

To  derive  more  meaningful  safety  properties  consider  the  derived  variables: 

Cx(Ax ltv1,v0)  =  (a™n  +  a™in)vl  -  2a^inv0v1  -  2 (a™")2  An  (9) 

Qmin 

C2(Axx , n0, Vi)  =  -~^V0  -Vi  (10) 

aQ 

P1(Ax1,v0,v1)  =  (v0-v1)2-2(a™n-a™n)Ax1-v\  (11) 

nmin 

P2(Ax i,v0,vi)  =  vf-  -~vl  +  2a™inAxi  -  v\  (12) 

a0 

To  simplify  the  notation  we  will  explicitly  mention  the  function  arguments  only 
when  necessary.  We  also  introduce  a  derived  boolean  variable  C  given  by  the 
expression: 

C  =  [(Cl  <  0)  A  (a™in  <  <in)]  V  [(C2  <  0)  A  >  <in)]  V  [(v„  =  0)]  (13) 

Pi,  P'2  and  C  are  used  to  construct  safety  invariants.  A  collision  can  take  place 
either  while  both  vehicles  are  moving  or  while  vehicle  1  is  moving  and  vehicle  0 
has  stopped  (by  Proposition  1  collisions  cannot  take  place  once  vehicle  1  stops). 
The  property  (Pi  <  0)  will  encode  conditions  that  guarantee  safety  if  a  collision 
takes  place  while  both  vehicles  are  still  moving.  (P2  <  0)  will  encode  conditions 
that  guarantee  that  either  no  collision  takes  place  or  a  safe  collision  takes  place 
after  vehicle  0  has  stopped.  The  predicate  C  will  be  used  to  distinguish  the  two 
cases. 


Lemma  3  (Pi  <  0)  V  (vi  <  0)  is  a  stable  property  of  the  pair. 


Proof.  (Pi  <  0)  V  (i'i  <  0)  is  preserved  by  Touchi  and  Separate 1;  as  both  these 
actions  leave  Axi,vq  and  Vi  unaffected.  Assume  (Pi  <  0)  V  (v\  <  0)  is  true 
when  Collisioni  occurs.  By  Proposition  1  (ui  <  0)  can  not  be  true  in  this  case. 
Therefore  (Pi  <  0)  is  true,  i.e.  Px(zia:i,r;o,ni)  =  Pi(0,no,,y1)  <  0.  Hence,  by 
the  restitution  equation  (3),  (vq  -  u[)2  =  (vo  ~  v\ )2q:i  <  (^o  —  ^i)2  <  v\,  as 
Qi  €  [0,1]  by  Assumption  2.  Therefore,  Pi(Ax'1,v'0,v[)  =  Pi(0,no,n[)  <  0  and 
(Pi  <  0)  V  («i  <  0)  is  again  true  after  Collisioni . 

Assume  at  some  state,  s,  (Pi  <  0)  V  (iq  <  0)  is  true  and  consider  all  trajec¬ 
tories  that  start  at  s.  If  (vi  <  0)  is  true  at  s  it  will  also  be  true  at  the  last  state 
of  the  trajectory  by  Proposition  1.  If  (Pi  <  0)  A  (tq  >  0)  is  true  at  s,  consider 
the  variation  of  Pi  along  a  trajectory: 


-  2(v0  -  iq)(acc0  -  acci)  -  2 (a™m  -  a™m)(v0  -  tq) 


0 

=  {  2a^invi 
-2(a™in 


if  (n0  >  0)  A  (r>i  >  0)  A  -i  Touching1 
if  (no  =  0)  A  (ni  >  0)  A  -i  Touchingl 
—  a™m)(v o  —  vi)  if  Touchingi 
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In  the  cases  where  Touching1  =  False,  Pi  <  0,  therefore  (Pi  <  0)  will  be  true 
at  least  until  (rq  <  0)  becomes  true.  If  Touchingx  =  True  and  vq  <  Vi  (resp. 
«o  >  iq)  action  Collisioni  (resp.  Separate i)  occurs  and  the  trajectory  stops.  If 
Touching ±  =  True  and  Vo  =  Vi,  then  Pi  =  0.  Overall,  (Pi  <  0)  V  (vi  <  0)  will 
be  true  at  the  last  state  of  the  trajectory.  ■ 

Lemma  4  If  (Pi  <  0)  V  (vi  <  0)  is  true  then  the  pair  is  safe. 

Proof.  If  (iq  <  0)  is  true  the  pair  is  safe  by  Proposition  1.  If  (Pi  <  0),  at  the  time 
when  Axi  =  0,  Pi(Axi,vq,vi)  =  Pi(0,vo,vi)  <  0,  therefore  («o  —  rq)2  <  v\. 
Hence,  Vi  <  Vq  +  vA  and  the  pair  is  safe.  ■ 

The  conditions  of  Lemma  4  can  be  relaxed  by  introducing  P 2.  Consider: 

I  =  [Pi  <  0]  V  [C  A  (P2  <  0)]  (14) 

Lemma  5  7  V  (u i  <  0)  is  a  stable  property  of  the  pair. 

Proof.  If  (Pi  <  0)  V  [C  A  (P2  <  0)]  V  (vi  <  0)  is  true  at  the  pre-state  of  Touchi 
or  Separate x  it  will  also  be  true  at  the  post-state  as  both  actions  leave  Ax i ,  vq 
and  vi  unaffected.  Assume  (Pi  <  0)  V  [C  A  (P2  <  0)]  V  (vi  <  0)  is  true  when 
Collisioni  occurs.  If  (Pi  <  0)V(«i  <  0)  is  true,  it  will  also  be  true  after  Collisioni 
by  Lemma  3.  Assume  Collisioni  occurs  while  CA(P2  <  0)  is  true.  We  distinguish 
the  following  cases: 

Case  1:  (u0  =  0)  A  (P2  <  0)  is  true.  Then,  at  Ax i  =  0,  v\  -  v\  <  0,  therefore 
Vi  =  Vi  -  v0  <  vA- 

Case  2:  (Ci  <  0)  A  (a?in  <  a^in)  A  (P2  <  0)  is  true.  Then,  0  <  ^  1 

min.  mtn 

and  at  Ax i  =  0,  Q  2omin — vo  >  vi-  Therefore,  vo  >  vi  and  hence  (Ci  <  0)  A 
(a™m  <  a™J")  A  (P2  <  0)  cannot  be  true  when  Collisioni  occurs. 

.  .  min 

Case  3:  (C2  <  0)  A  (a™OT  >  a™l")A(P2  <  0)  is  true.  This  implies  that  >  1, 
<  vi  and,  at  Ax i  =  0,  v\  -  ^^-^0  -  v\  <  0.  These  three  inequalities 

a0  ao  v  si. 

imply  that  (vo  —vi)2—v\<  0. 

In  all  cases  where  Collisioni  is  possible,  0  <  vi  —  i>o  <  vA.  Therefore  (vo  — 
^i)2  <  vA  ancl  hence  (v'0  -  v()2  <  v\  (by  equation  (3)  and  Assumption  2). 
Therefore,  if  Collisioni  occurs  while  C  A  (P2  <  0)  is  true,  (Pi  <  0)  will  be  true 
after  the  collision.  Overall,  if  (Pi  <  0)  V  [C  A  (P2  <  0)]  V  (vi  <  0)  is  true  when 
Collisioni  occurs  it  will  also  be  true  afterwards. 

Assume  at  some  state,  s,  (Pi  <  0)  V  [C  A  (P2  <  0)]  V  (iq  <  0)  is  true  and 
consider  the  trajectories  that  start  at  this  state.  If  (Pi  <  0)  V  (vi  <  0)  is  true 
at  s  it  will  also  be  true  at  the  last  state  of  the  trajectory,  by  Lemma  3.  If 
C  A  (P2  <  0)  A  (rq  >  0)  is  true  at  s,  consider  the  derivatives  of  the  functions 
Ci ,  C2  and  P2  along  the  trajectory: 

~Ci  =  2 (a™m  +  a™m)voacco  -  2a™macc0tq  -  2a™mu0acci  -  2 (a™m)2(v0  -  Vi) 
at 
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0 

2«in)2m 

2 (a?inv0  -  a^v^acco  -  2(a^in)2(v0  -  Ui) 


if  (no  >  0)  A  -i  Touching1 
if  (vq  =  0)  A  -  Touching1 
if  Touching1 


qIILIIL 

^acco-acd 

a0 


fo 


< 


nmin 

al 


accQ 


if  (t'o  >  0)  A  -i  Touching1 
if  (vq  =  0)  A  -i  Touching1 

if  Touchingi 


d  amin 

— P2  =  2v1acci  -  2-^v0acc0  +  2 a^n(v0  -  Ui) 

OX  CLq 


2^l. 


if  -i  Touchingl 

acco  +  2a™in(vo  —  ui)  if  Touching1 


Consider  first  the  variation  of  P2.  If  Touching1  =  False  and  as  long  as  V\  >  0, 
P2  =  0.  Therefore,  if  (P2  <  0)  is  true  at  s,  (P2  <  0)  V  (vi  <  0)  will  be  true  at  the 
last  state  of  the  trajectory.  If  Touchingl  =  True  and  v\  yt  v0  the  trajectory  stops 
(as  the  precondition  of  either  Collision i  or  Separate :  is  satisfied).  If  Touching1  = 
True  and  V\  =  v0  then  P2  =  2 (a™™  —  a™in)voacco/a™in.  If  a™in  >  of1*"  the 
trajectory  stops  and  action  Separate :  occurs.  Otherwise,  P2  <  0,  therefore  (P2  < 
0)  will  be  true  at  the  last  state  of  the  trajectory. 

Now  consider  the  variation  of  C.  Recall  that  C  A  (v\  >  0)  is  assumed  to  be 
true  at  s.  Distinguish  two  cases: 

Case  A:  ( Ci  <  0)  A  ( a™tn  <  a™m)  is  true  at  s.  If  Touching1  =  False  and 
as  long  as  >  0  and  no  >  0,  C\  =  0.  If  Touching 1  =  True  and  vi  ^  v0 
the  trajectory  stops  (as  the  precondition  of  either  Collisioni  or  Separate^  is 
satisfied).  If  Touching1  =  True  and  ui  =  no  then  C\  —  2 (a™in  —  aoim)n0acc0  <  0 
as  a <  a™ln.  Overall,  [(Ci  <  0)  A  (a™m  <  o™")]  V  (no  =  0)  V  (ui  <  0)  will 
be  true  at  the  final  state  of  the  trajectory. 

Case  B:  (C2  <  0)  A  (a(^ln  >  a™m)  is  true  at  s.  If  Touching 1  =  False  and 
as  long  as  v\  >  0  and  no  >  0,  C\  =  0.  If  Touching1  —  True  and  V\  -fc  v0  the 
trajectory  stops  (as  the  precondition  of  either  Collisioni  or  Separate1  is  satisfied). 
If  Touching  =  True  and  ui  =  n0  then  C2  =  (a™m  -  a™in)acco/aQlln  <  0,  as 
amin  >  amin_  Therefore,  [(C2  <  0)  A  (a™n  >  a™™)]  V  (no  =  0)  V  (nx  <  0)  will  be 
true  at  the  final  state  of  the  trajectory. 

Overall,  if  (Pi  <  0)  V  [C  A  (P2  <  0)]  V  (ui  <  0)  is  true  at  the  first  state  of  a 
trajectory,  it  will  also  be  true  at  the  last  state.  ■ 


Theorem  2  (Sufficient  Condition  for  Pair  Safety)  If  I  is  initially  true  the 
pair  is  safe. 

Proof.  I  initially  true  and  Lemma  5  imply  [Pi  <  0]  V  [C  A  (P2  <  0)]  V  (ui  <  0) 
is  an  invariant  property  of  the  pair.  If  (Pi  <  0)  V  (m  <  0)  is  true  safety  is 
guaranteed  by  Lemma  4.  If  C  A  (P2  <  0)  is  true,  the  proof  of  Lemma  5  indicates 
that  at  Axi  =  0,  ui  —  no  <  va,  which  again  implies  safety.  ■ 
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Conditions  under  which  the  string  is  unsafe  can  be  obtained  in  a  similar  way. 
Consider  a  derived  boolean  variable  Collided  which  is  initially  false  and  becomes 
true  when  the  actions  Collision i  occurs.  Let: 

C  =  (Cl  <  0)  (15) 

I'  =  [-,c‘  A  (Pi  >  0)1  V  [{C‘  V  (v0  =  0))  A  (P2  >  0)]  (16) 

Theorem  3  (Necessary  Condition  for  Pair  Safety)  If  I'  A  (vi  >  0)  A 
-■Collided  is  true  initially  then  the  pair  is  unsafe. 

The  proof  involves  an  argument  similar  to  the  one  used  for  Theorem  2.  The  proof 
of  Theorem  2  indicates  that  if  the  first  collision  is  safe,  all  subsequent  collisions 
will  also  be  safe.  The  condition  of  Theorem  3  is  therefore  such  that  the  first 
collision  between  the  two  vehicles  is  unsafe.  More  unsafe  collisions  may  follow. 

3.3  Safety  Conditions  for  Strings  of  Length  N  >  2 

Next,  we  derive  a  very  simple  sufficient  condition  for  a  string  of  arbitrary  length 
to  be  safe.  Even  though  the  condition  is  conservative,  interesting  conclusions 
about  the  safety  of  platoons  of  vehicles  can  be  derived  from  it  (see  Section  4).  A 
string  is  near  uniform  mass  if  oti(v)  =  a  and  aMk- 1  <  Mj,  <  Mk-i/a.  The  near 
uniform  mass  condition  allows  us  to  put  some  bounds  on  the  change  of  speed 
that  a  collision  can  induce.  For  example,  it  can  be  shown  that: 

Proposition  2  Ailo  1(vi  -  0)  an  invariant  property  of  a  near  uniform  mass 
string. 

Recall  that  in  general  vehicles  may  end  up  going  backwards  due  to  a  collision. 

We  construct  invariant  properties  that  allow  us  to  characterize  the  safety  of 
such  a  string.  Let  dTOj„  =  mino<jfc<Ar  and  amax  =  max0<jfc<iv  a™m  and  for 
0<i<j<N  -  1  define  Ary  =  £^=i+1  A  Xk-  For  any  pair  of  vehicles  i  <  j, 
consider  the  function: 

P(Axij,Vi,Vj)  =Vj  —  amaxVi  -  va  (17) 

Q"min 

Theorem  4  (Sufficient  Condition  for  String  Safety)  A  near  uniform  mass 
string  of  N  vehicles  is  safe  if  initially  P(Axij,Vi,Vj)  <  0  for  all  i,j  with  0  < 
i  <  j  <  N  —  1. 

The  proof  is  again  by  induction.  Note  that  the  conditions  of  Theorem  4  involve 
all  pairs  in  the  string  and  not  just  adjacent  vehicles. 

Finally,  we  establish  conditions  such  that  any  string  formed  by  a  collection 
of  vehicles  satisfying: 

afn  E  [a, a],  £  [M,M],  <*(«)  =  1  (18) 

is  guaranteed  to  be  safe.  Assume  that  all  vehicles  in  the  string  are  initially 
moving  with  velocity  v. 
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Fig.  3.  Final  configuration  for  theorem  proof 


Theorem  5  (Necessary  Condition  for  String  Safety)  All  strings  of  N  ve¬ 
hicles  satisfying  (18)  are  safe  under  the  default  deceleration  strategy  only  if  ini¬ 
tially  ( Pi(Axij,v,v )  <  0)  V  ( P2(Axij,v,v )  <  0)  is  true  for  all  i,j  with  0  <  i  < 
j  <  N  —  1  and  for  all  £  [a, a]. 

Theorem  5  effectively  states  that  a  string  may  be  unsafe  if  any  two  vehicles  in  it 
are  unsafe.  The  proof  is  constructive:  we  show  that,  if  two  vehicles  i  and  j  violate 
the  conditions  of  the  theorem,  one  can  chose  the  deceleration  capabilities,  a™m, 
and  the  masses,  M*,  of  vehicles  k  =  i  +  l, ... ,j  —  1  so  that  the  string  exhibits 
unsafe  collisions.  The  idea  of  the  construction  is  to  bring  the  vehicles  from  their 
initial  arrangement  to  the  final  arrangement  of  Figure  3,  without  any  collisions 
taking  place.  The  construction  will  be  such  that  after  resolving  the  multiple 
collision  between  vehicles  i  +  1, . . .  ,j  the  velocity  of  vehicle  i  +  1  will  be  the 
same  as  the  velocity  of  vehicle  j  before  the  collision.  For  e  small  enough,  the 
next  collision  will  be  between  vehicles  i  +  1  and  i  and  the  relative  velocity  will 
be  e  close  to  the  relative  velocity  with  which  vehicles  j  and  i  would  have  collided 
if  vehicles  i  +  1, . . . ,  j  —  1  were  not  there. 


4  Implications  for  Platooning 


We  establish  bounds  on  the  system  parameters  (in  particular  the  difference  in 
deceleration  capability  between  the  vehicles)  for  a  string  to  be  safe.  We  start  with 
the  sufficient  condition  of  Section  3.3.  Consider  a  near  uniform  mass  string  and 
let  a  —  a  =  e.  Then,  all  strings  whose  vehicles  satisfy  (18)  are  guaranteed  to  be 
safe  under  the  default  deceleration  strategy  if  (l  —  ^  v—va  <  0  or  equivalently: 

.  avA 

e  < - 

v 


Substituting  “typical”  values  of  a  =  -9ms-2  and  va  =  3ms-1  leads  to  e  <  1.08 
for  v  =  25ms-1  and  e  <  0.9  for  v  =  30ms-1. 

For  the  necessary  conditions  of  Section  3.3,  note  that: 


damln 

dP q 
daV"n 


-2 Axij  <  0 


aM 


vf  <  0 


(Qmtn)2  vi  _ 


dP 3 
da™'1 


=  2Axij  >  0 

=  ~  jL  +  2  Ax^  >  0 
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N 

e  (ms  2) 

v  =  25ms  i,  F  =  1  m 

v  =  30ms  1,  F  =  1  m 

v  =  25 ms  1,  F  =  2m 

2 

4.5 

4.5 

2.25 

3 

2.25 

2.25 

1.125 

4 

1.5 

1.5 

1.125 

5 

1.125 

1.125 

1.125 

>  6 

1.125 

0.9 

1.125 

Table  1.  Maximum  allowable  difference  in  deceleration  capability 


Therefore,  the  condition  (Pi(Axlj,v,  v)  <  0)  V  ( P2(Axij,v,v )  <  0)  for  all  af“n 
and  a"1111  €  [a, a]  is  equivalent  to  (P\(Axij,v,v)  <  0)  V  (P2(Axij,v,v)  <  0)  for 
avrim  =  a  and  ajiin  =  a.  To  further  simplify  the  calculation  assume  that  initially 
the  string  is  uniformly  spaced,  i.e.  Axi  =  F  for  all  i.  Then  the  necessary  condition 
for  string  safety  requires  that  for  all  i  <  j: 

c<m3J  W-itfF-eti) 

“  \2 (j-i)F'  v*-2 (j-i)aF  J 

Table  1  shows  the  necessary  condition  for  e.  The  numbers  indicate  that  the 
sufficient  condition  is  conservative  for  small  strings  but  approaches  the  necessary 
condition  as  the  string  size  increases  (the  number  for  N  =  2  in  Table  1  is  both 
necessary  and  sufficient). 

If  the  string  represents  a  platoon  and  based  on  the  characteristics  of  vehi¬ 
cles  on  current  highways,  the  bound  on  e  is  reasonable  for  N  =  2  but  rather 
restrictive  for  higher  platoon  sizes  (even  under  perfect  road  conditions).  Note 
also  that  the  calculation  saturates  after  the  first  few  vehicles;  a  similar  observa¬ 
tion  was  made  in  [6]  about  the  increase  in  deceleration  effort  required  along  a 
platoon  for  “string  stability”.  Overall,  The  above  calculations  indicate  that  the 
safety  of  the  platooning  system  under  emergency  braking  can  only  be  guaran¬ 
teed  under  rather  limited  conditions,  in  particular  for  small  platoons  consisting 
of  vehicles  of  similar  deceleration  capabilities.  This  observation  is  in  agreement 
with  the  numerical  study  of  [9].  One  can  improve  the  situation  by  modifying  the 
system  parameters,  by  arranging  the  vehicles  in  a  platoon  in  a  particular  order 
(e.g.  in  the  order  of  increasing  deceleration  capability)  and  by  designing  better 
deceleration  controllers.  All  these  alternatives  are  the  topic  of  current  research. 

5  Concluding  Remarks 

The  string  system  introduced  here  is  an  interesting  example  for  trying  out  dif¬ 
ferent  hybrid  systems  techniques.  The  system  is  simple  enough  to  approach  an¬ 
alytically,  yet  it  can  produce  executions  with  very  complex  continuous-discrete 
interaction,  even  for  string  sizes  as  small  as  N  =  3.  Here  we  used  induction 
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arguments  to  answer  safety  questions;  induction  proofs  are  ideally  suited  to  the 
structure  imposed  by  the  HIOA  modeling  formalism  used  to  encode  the  system. 

We  are  currently  working  on  extending  the  results  discussed  here  to  account 
for  phenomena  like  sensing  and  actuation  uncertainties  and  delays.  These  ex¬ 
tensions  are  likely  to  involve  the  use  of  simulation  relations  and  abstraction 
mappings  (similar  analysis  was  carried  out  in  [5]  for  a  simpler  system).  We  are 
also  trying  to  investigate  the  effect  of  different  deceleration  strategies.  Allowing 
different  deceleration  strategies  makes  the  problem  much  more  challenging;  for 
example  more  sophisticated  analysis  techniques  may  be  needed  to  ensure  that 
the  proposed  controllers  do  not  resort  to  “Zeno”  executions  to  ensure  the  safety 
of  the  system3.  The  ultimate  goal  is  of  course  to  construct  an  optimal  deceler¬ 
ation  strategy  for  a  each  string;  powerful  optimal  control  tools  are  likely  to  be 
needed  for  this  purpose.  Hopefully  solution  to  these  problems  will  suggest  ways 
in  which  control  theory  and  computer  science  techniques  can  be  used  in  tandem 
to  address  complicated  questions  in  hybrid  systems. 
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Abstract.  The  Center-TRACON  Automation  System  (CTAS)  is  a  col¬ 
lection  of  planning  and  control  software  functions  that  generate  landing 
schedules  and  advisories  to  assist  air  traffic  controllers  in  handling  traffic 
in  the  en-route  and  terminal  areas.  In  this  paper,  we  propose  a  formal 
safety  analysis  methodology  to  determine  the  correctness  of  CTAS  with 
respect  to  safety.  Four  large  classes  of  safety  notions  are  identified  for  the 
CTAS  problem:  nominal,  robust,  structural  and  degraded.  For  nominal 
safety  questions  we  seek  conditions  under  which  the  system  is  guaranteed 
to  be  nominally  safe. 


1  Introduction 

The  increasing  demand  for  air  travel  has  spurred  the  development  of  tools  to 
increase  airspace  utilization,  smooth  air  traffic  flow  and  reduce  fuel  consumption, 
time  delays  and  controller  workload.  In  an  effort  to  meet  these  objectives,  NASA 
has  developed  the  Center-TRACON  Automation  System  (CTAS)  [1].  CTAS  is  a 
collection  of  planning  and  control  functions  which  generate  advisories  to  assist, 
but  not  replace,  the  controllers  in  handling  traffic  in  the  Center  and  TRACON 
areas. 

The  structure  and  functionality  of  CTAS  are  briefly  discussed  in  Section  2. 
CTAS  is  a  large  scale,  safety  critical  software  system,  that  should  ideally  be 
validated  before  it  is  deployed.  The  validation  process  is  complicated  by  the 
fact  that  the  overall  system  is  hybrid,  as  the  (primarily)  discrete  dynamics  of 
the  algorithm  are  coupled  with  the  continuous  dynamics  of  the  aircraft  and  the 
human  operators.  We  present  a  formal  approach  to  the  safety  analysis  of  the 
CTAS  system.  We  view  our  work  as  a  first  step  towards  the  development  of  a 
general  methodology  for  the  analysis  of  large  scale,  hybrid  software  systems2. 
Our  methodology  proceeds  in  the  following  steps: 

*  Research  supported  by  the  FA  A  and  NASA  under  Research  Contract  DTFA03-97- 
D-0004  and  Grant  96-C-001  and  by  the  Army  Research  Office  under  Grant  DAAH 
04-95-1-0588. 

2  For  another  example  of  such  a  system  in  air  traffic  control  see  [2]. 
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-  System  Modeling:  The  CTAS  system  is  modeled  in  the  Hybrid  Input- 
Output  Automata  formalism  (Section  3). 

-  Safety  Specification:  We  identify  notions  of  safety  and  determine  the  de¬ 
sired  system  specification.  We  consider  four  classes  of  safety  measures:  nom¬ 
inal,  robust,  structural  and  degraded  safety  (Section  4). 

-  Safety  Analysis:  Given  the  CTAS  model  in  the  hybrid  input-output  au¬ 
tomata  formalism  and  the  nominal  safety  specification,  deductive  techniques 
will  be  used  to  determine  conditions  under  which  the  system  satisfies  the 
specification.  To  tackle  the  complexity  of  the  analysis,  high  level  specifica¬ 
tions  (at  the  level  of  CTAS)  are  partitioned  to  sub  specifications  for  the  lower 
level  components.  The  components  are  analyzed  individually  to  determine 
whether  they  meet  the  corresponding  specifications.  The  proof  for  the  over¬ 
all  CTAS  system  is  composed  from  the  component  proofs  using  abstraction 
relations. 


2  CTAS  Overview 

The  Air  Traffic  Control  system  consists  of  three  types  of  control  facilities:  Air 
Route  Traffic  Control  Centers  (Centers)  which  control  en-route  flights,  Termi¬ 
nal  Radar  and  Approach  Control  facilities  (TRACON)  which  control  arriving 
and  departing  flights  within  30  nautical  miles  of  airports  and  Airport  Control 
Towers  which  control  traffic  in  the  immediate  vicinity  of  the  airport  and  on  the 
ground.  In  the  United  States  there  are  20  Centers  and  over  400  TRACONs. 
The  Center-TRACON  Automation  System  provides  advisories  for  the  air  traf¬ 
fic  controllers,  in  an  attempt  to  increase  airspace  utilization,  reduce  delays,  fuel 
consumption  and  controller  workload  and  improve  safety.  CTAS  consists  of  three 
main  components: 

—  Traffic  Management  Advisor  (TMA) 

—  Descent  Advisor  (DA) 

—  Final  Approach  Spacing  Tool  (FAST) 

TMA  [3]  and  DA  [4]  coexist  and  operate  in  Center  airspace  whereas  FAST  [5] 
operates  as  a  stand  alone  in  TRACON  airspace.  Even  though  currently  CTAS 
deals  only  with  arrival  traffic,  future  versions  will  incorporate  the  User  Preferred 
Routing  tool  (UPR)  [6]  for  en  route  traffic  to  support  Free  Flight  [7]  and  the 
Expedited  Departure  Path  tool  (EDP)  for  departure  traffic.  UPR  and  EDP  will 
coexist  with  TMA  and  DA  in  the  Center  Airspace  whereas  FAST  will  be  in 
charge  of  all  terminal  area  traffic.  Currently,  stand  alone  versions  of  TMA  and 
FAST  are  being  field  tested  at  Dallas-Fort  Worth  whereas  DA  is  being  field 
tested  at  Denver. 


2.1  CTAS  Architecture 

The  architecture  of  CTAS  is  shown  in  Figure  1.  CTAS  is  a  human  centered 
control  system.  It  receives  information  from  the  aircraft  and  computes  schedules 
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and  advisories,  which  are  then  transmitted  to  the  aircraft  by  the  controllers. 
The  feedback  nature  of  the  architecture  makes  CTAS  reactive.  If  aircraft  do  not 
follow  the  advisories  or  controllers  manually  change  the  landing  schedule,  CTAS 
will  readjust  and  produce  new  advisories  in  the  next  computation  cycle.  Thought 
of  as  a  large  input-output  system,  CTAS  receives  input  from: 


-  Controllers:  The  Traffic  Management  Coordinator  (TMC),  who  resides  in  a 
Center,  sets  the  capacity  and  acceptance  rates  for  various  runways,  airports 
and  the  TRACON  and  can  alter  the  landing  sequence  or  schedule.  The  Cen¬ 
ter  and  TRACON  controllers  may  select  particular  routes  or  runways  for 
particular  aircraft  and  impose  constraints  on  the  landing  sequence  or  rout¬ 
ing.  Controller  preferences  are  inputed  through  graphical  user  interfaces:  the 
TMA  Graphical  User  Interface  (TGUI),  which  is  used  by  the  TMC,  and  the 
Plainview  Graphical  User  Interface  (PGUI),  which  is  used  by  all  Center  and 
TRACON  controllers. 

-  Radar  Daemon:  The  radar  daemon  periodically  receives  aircraft  state  in¬ 
formation  regarding  position,  altitude,  speed,  aircraft  type  and  flight  plan. 

-  Weather  Daemon:  The  weather  daemon  receives  weather  information  from 
the  National  Weather  Service.  Currently  the  weather  reports  include  wind, 
temperature  and  pressure  profiles  in  the  form  of  a  three  dimensional  grid 
whose  edge  length  is  50  miles.  The  weather  reports  are  updated  every  hour 
and  contain  forecasts  for  the  next  three  hours. 

Internally,  CTAS  utilizes  detailed  databases  which  include  aircraft,  aerodynamic 
and  engine  models  for  all  aircraft  types.  These  models  are  used  to  perform  accu¬ 
rate  trajectory  prediction  for  each  aircraft.  Other  databases  contain  information 
on  the  local  airspace  structure  in  terms  of  way-points  and  routes,  site  adapta¬ 
tion  data  such  as  TRACON,  airport  and  runway  configurations  and  site  specific 
constraints.  A  Communication  Manager  supports  the  internal  communication  of 
data  between  the  various  processes.  After  all  internal  calculations  are  performed, 
the  main  outputs  of  CTAS  are: 


-  Landing  Schedules:  CTAS  performs  runway  allocation  for  all  arriving 
aircraft  and  produces  a  time-line  schedule  and  sequence  for  each  runway. 
Scheduling  is  initially  performed  in  the  Center  Area  by  the  TMA  and  the 
output  is  graphically  displayed  on  the  TGUI  which  is  used  by  the  TMC. 
Once  in  the  TRACON  area,  FAST  recomputes  and  overrides  the  previous 
schedule.  The  new  schedule  is  then  displayed  on  the  PGUI. 

-  Advisories:  CTAS  also  computes  heading,  altitude  and  speed  advisories. 
DA  provides  the  advisories  in  Center  airspace  whereas  FAST  provides  ad¬ 
visories  in  the  terminal  area.  The  advisories  are  displayed  on  the  GUIs  and 
are  then  transmitted  by  voice  from  the  controllers  to  the  aircraft. 
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Fig.  1.  CTAS  Architecture 

3  Hybrid  Input-Output  Automata 

In  this  section  we  give  a  brief  overview  of  a  model  for  the  CTAS  system.  In 
Section  3.1  we  outline  the  modeling  formalism  (a  formal  discussion  can  be  found 
in  [8])  and  discuss  the  features  that  make  it  ideal  for  modeling  the  CTAS  system. 
In  Section  3.2  we  show  how  models  can  be  constructed  in  this  framework  for  one 
of  the  CTAS  components,  the  FAST  algorithm. 


3.1  Overview  of  the  Modeling  Framework 

Based  on  the  work  of  [8],  we  consider  a  hybrid  automaton,  A,  as  a  dynami¬ 
cal  system  that  describes  the  evolution  of  a  finite  collection  of  variables,  Va- 
Variables  are  typed;  for  each  v  €  Va  let  type(v)  denote  the  type  of  v.  For  each 
Z  C  Va,  a  valuation  of  Z  is  a  function  that  to  each  v  €  Z  assigns  a  value  in 
type(v).  Let  Z  denote  the  set  of  valuations  of  Z;  we  refer  to  s  £  Va  as  a  system 
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state.  In  this  paper  we  assume  that  the  evolution  of  the  variables  is  over  the  set 
T-°  =  {t  £  M|t  >  0}.  The  evolution  of  the  variables  involves  both  continuous 
and  discrete  dynamics.  Continuous  dynamics  are  encoded  in  terms  of  trajectories 
over  VA,  that  is  functions  that  map  intervals  of  the  time  axis  to  V^.  Discrete 
dynamics  are  encoded  by  actions.  Upon  the  occurrence  of  an  action  the  system 
state  instantaneously  “jumps”  to  a  new  value.  We  use  EA  to  denote  the  set  of 
actions  that  affect  the  evolution  of  A. 

Formally,  a  hybrid  automaton,  A  =  (UA,XA,YA,EA,EAt,X!A‘t,6A,'DA,'WA), 
is  a  collection  of: 

—  Three  disjoint  sets  UA,  XA,  and  YA  of  variables,  called  input,  internal ,  and 
output  variables,  respectively.  We  set  VA  =  UA  U  XA  U  YA. 

—  Three  disjoint  sets  SA,  SlAt,  and  E0Al  of  actions,  called  input,  internal,  and 
output  actions,  respectively.  We  set  SA  =  E‘A  U  SAlt  U  E™*. 

—  A  non-empty  set  &A  CV^of  initial  states. 

—  A  set  VA  C  V.4  x  Ea  x  VA  of  discrete  transitions. 

—  A  set  WA  of  trajectories  over  VA . 

Some  technical  axioms  are  imposed  on  the  above  sets  to  guarantee  that  the 
definitions  are  consistent. 

An  execution,  a,  of  the  hybrid  automaton  A  is  a  finite  or  infinite  alternating 
sequence  a  =  w^aiWia^w^  •  •  ■,  where  for  all  i,  a*  £  SA,  Wi  £  WA  defined  over  a 
left  closed  time  interval,  fstate(u)o)  £  0A,  if  a  is  a  finite  sequence  then  it  ends 
with  a  trajectory  and  if  u>i  is  not  the  last  trajectory  its  domain  is  right-closed 
and  (lstate(wi),ai+i,fstate(wi+i))  £  VA.  Here  fstate{w)  and  lstate(w )  denote 
the  initial  and  final  states  of  a  trajectory  ui.  An  execution  is  called  finite  if  it  is 
a  finite  sequence  and  the  domain  of  its  final  trajectory  is  a  right-closed  interval. 
A  state  s  €  Va  is  called  reachable  if  it  is  the  last  state  of  a  finite  execution. 

To  capture  the  evolution  of  an  HIOA  from  the  point  of  view  of  the  “out¬ 
side  world”  the  notion  of  a  trace  is  introduced.  Roughly  speaking  a  trace  is  an 
execution  projected  to  the  external  (input  and  output)  variables  and  actions. 
Two  automata  A  and  B  are  called  comparable  if  they  have  the  same  external 
interface.  If  A  and  B  are  comparable,  then  we  say  that  A  implements  B  if  the 
hybrid  traces  of  A  are  a  subset  of  those  of  B.  Typically  one  thinks  of  B  as  a 
specification  and  A  as  an  implementation  of  the  specification.  A  specification  is 
usually  a  more  abstract  description  that  imposes  weaker  restrictions  on  the  sys¬ 
tem  behavior.  Proving  that  one  hybrid  automaton  implements  another  can  be  a 
complicated  task.  Usually  it  is  broken  up  in  a  series  of  steps,  where  the  abstract 
specification  is  progressively  refined.  At  each  step  implementation  is  proved  us¬ 
ing  simulation  relations.  A  simulation  from  A  to  B  is  a  relation  R  C  Va  x  Vg 
such  that  (roughly  speaking)  two  states,  r  of  A  and  s  of  B,  are  related  through 
R  if  from  state  s  B  can  reproduce  any  move  that  A  makes  from  r  (discrete  or 
continuous)  by  a  hybrid  execution  which  is  indistinguishable  from  the  move  of 
A  from  the  point  of  view  of  the  outside  world.  The  final  states  of  the  two  moves 
should  again  be  related  by  R. 

Hybrid  automata  “communicate”  through  shared  variables  and  shared  ac¬ 
tions.  Consider  two  automata  A  and  B  with  XA  fl  Vb  =  Xb  CiVa  =  YbDYa  =  0 
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and  Elj!,lt  D  EA  =  E2fff  fl  Eg  —  EAlt  D  E^  =  0.  Under  some  mild  techni¬ 
cal  assumptions,  the  composition,  A  x  B,  of  A  and  B  can  be  defined  as  a  new 
hybrid  automaton  with  UaxB  =  ( Ua  U  Ub)  \  ( YA  U  Yb),  XaxB  =  XA  U  Xb, 
YAxB  =  YaU  Yg  (similarly  for  the  actions).  &axB,  'DaxB  and  WAxb  are  such 
that  the  executions  ofixB  are  also  executions  of  each  automaton  when  re¬ 
stricted  to  its  variables  and  actions.  It  can  be  shown  that  composition  respects 
implementation. 

A  derived  variable  of  A  is  a  function  on  Va-  Derived  variables  will  be  used 
to  simplify  the  system  description,  but  also  to  facilitate  the  analysis.  A  property 
of  A  is  a  boolean  derived  variable.  A  property  is  stable  if  whenever  it  is  true  at 
some  state  it  is  also  true  at  all  states  reachable  from  that  state.  A  property  is 
invariant  if  it  is  true  at  all  reachable  states.  Typically  properties  will  be  shown 
to  be  stable  or  invariant  by  an  induction  argument  on  the  length  of  an  execution. 

In  some  places  differential  equations  will  be  used  to  simplify  the  description 
of  the  set  WA ■  In  such  cases  WA  is  assumed  to  be  populated  by  all  trajec¬ 
tories  generated  by  the  differential  equation  in  the  usual  way.  To  simplify  the 
description  of  VA,  we  will  assign  a  precondition  and  an  effect  to  each  action.  The 
precondition  is  a  predicate  on  Va  while  the  effect  is  a  predicate  on  Va  x  Va- 
The  action  can  take  place  only  from  states  that  satisfy  the  precondition;  more¬ 
over,  the  states  before  and  after  the  transition  should  be  such  that  the  effect  is 
satisfied. 

The  following  properties  of  the  HIOA  formalism  are  especially  useful  for 
CTAS  modeling: 

1.  Descriptive  Power:  The  modeling  formalism  provides  a  uniform  frame¬ 
work  in  which  one  can  describe  the  evolution  of  general  classes  of  variables, 
ranging  from  real  and  integer  numbers  (with  their  associated  mathematical 
structure)  to  abstract  high  level  data  types  typically  found  in  a  computer 
program. 

2.  Hybrid  Dynamics:  The  formalism  allows  us  to  capture  continuous  and 
discrete  dynamics  and  the  interaction  between  the  two. 

3.  Compositionality:  The  modeling  formalism  allows  us  to  build  up  the  de¬ 
scription  of  the  complicated  CTAS  system  by  combining  simpler  entities. 

4.  Abstraction:  The  notion  of  specification  and  implementation  allows  us  to 
describe  the  system  at  various  levels  of  abstraction.  This  provides  a  way  of 
showing  that  the  CTAS  code  satisfies  a  specification  through  a  sequence  of 
progressive  refinement.  Abstraction  also  allows  us  to  structure  proofs  hierar¬ 
chically,  with  simulation  relations  connecting  the  levels  of  the  proof  hierarchy. 


3.2  Formal  CTAS  Model 

The  CTAS  system  will  be  modeled  as  an  interconnection  of  a  number  of  compo¬ 
nents  (Figure  2).  In  this  section  we  will  show  how  the  input-output  interaction 
between  these  components  can  be  captured  by  appropriate  hybrid  automata. 
The  models  given  here  will  be  “high  level”;  in  a  number  of  places  we  will  use 
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Fig.  2.  CTAS  Feedback  Loop 


derived  variables  to  represent  parts  of  the  algorithm,  the  air  traffic  controller  be¬ 
havior,  etc.  for  which  we  can  not  provide  explicit  expressions  at  this  stage.  The 
model  can  be  refined  until  it  contains  sufficient  details  to  carry  out  meaningful 
safety  analysis.  The  refinement  primarily  involves  providing  explicit  expressions 
for  these  derived  variables.  Here  we  will  briefly  discuss  the  operation  of  all  the 
components  shown  in  Figure  2.  For  the  time  being  we  restrict  our  attention  to 
FAST;  the  remaining  CTAS  components  can  be  similarly  modeled.  Examples  of 
HIOA  pseudo-code  for  FAST  can  be  found  in  the  appendix;  for  more  examples 
see  [9]. 

Aircraft  Model:  The  system  we  consider  consists  of  N  aircraft,  labeled  1, . . . ,  N. 
Each  aircraft,  i,  is  modeled  by  a  hybrid  automaton,  A;  =  (Uah  Xa{  ,  Ya{,  E™, 
El£f,  ,  Tbt; ,  Wa,).  At  this  stage  we  assume  that  the  aircraft  evolution  is 

not  affected  by  any  actions,  input,  output  or  internal  (Ea{  =  E™.  = 

0  and  hence  T>a{  =  0).  At  a  later  stage  appropriate  actions  can  be  added  to  model 
discrete  changes  in  the  physical  system,  such  as  malfunctions. 

Each  aircraft  is  identified  by  its  type,  for  example,  Turbojet,  747,  etc.  This 
information  is  stored  in  an  internal  variable  Type The  physical  movement  of 
the  aircraft  is  summarized  by  the  trajectories  of  its  position  and  velocity.  Let 
Pi  —  ( Xi,yi,Zi )  €  R3 ,  Vi  =  (vf ,  vj ,  v\ )  €  R3  be  the  position  and  velocity  of  the 
aircraft  with  respect  to  some  fixed  reference  frame  on  the  ground.  The  motion 
of  the  aircraft  is  influenced  by  the  commands  of  the  pilot  and  the  environmental 
conditions.  Let  a,  represent  the  pilot  commands  (for  the  engine,  control  surfaces, 
flaps,  etc.)  and  Wi  the  environmental  conditions  at  the  current  position  of  aircraft 
i  (wind  and  temperature  for  example).  We  assume  that  all  trajectories  in  Wa< 
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satisfy  the  differential  equation: 


pi(ty 

ho' 

•o» 

i _ 

Vi(t) 

f(Typei,vi(t),ai(t),wi(t))_ 

(1) 


We  set  =  {  Typeitpi,Vi},  Ua{  —  and  Xa<  =  0.  The  function  /  returns 

the  acceleration  of  the  aircraft,  which  will  in  general  depend  on  the  aircraft  type, 
the  aircraft  velocity,  the  commands  of  the  pilot  and  the  weather  conditions. 

The  aircraft  automaton  is  only  partly  specified  at  this  stage.  We  still  need 
to  provide  an  expression  for  the  derived  variable  f.  This  expression  is  likely  to 
be  very  complicated.  For  the  preliminary  safety  analysis  we  start  with  simple 
formulas  (such  as  /  =  Uj);  more  accurate  expressions  can  be  obtained  from  the 
aircraft  model  database  used  by  CTAS. 

Environment  Model:  We  assume  that  the  motion  of  each  aircraft  is  influenced 
by  the  wind  and  temperature  at  its  current  position.  To  encode  this  information 
we  introduce  a  hybrid  automaton  E  —  ( Ue ,  We,  Ye,  El£,  El£f,  E™*,  &e, 
T>e,  VVe).  The  environment  automaton  has  no  internal,  input  or  output  actions 
(Ee  =  0)  and  no  internal  variables  (Xe  =  0).  Its  inputs  are  the  positions  of 
all  aircraft,  (Ue  =  and  its  outputs  (denoted  by  w,  €  ®4)  are  the  wind 

magnitude  and  direction  and  the  temperature  at  each  one  of  these  positions 
(Ye  =  {wi}-^).  The  environmental  conditions  are  encoded  by  a  function  W  : 
R+  x  R3  — ►  R4 ,  that  returns  the  wind  and  temperature  at  the  current  time  and 
the  given  location. 

The  environment  model  is  only  partly  specified  at  this  stage.  To  complete 
the  description  we  need  to  provide  an  expression  for  the  derived  variable  W.  We 
propose  to  start  with  very  simple  expressions  (e.g.  W  constant  as  a  function  of 
time)  and  refine  them  at  a  later  stage,  as  the  description  of  the  automata  that 
make  use  of  the  weather  information  n  (the  aircraft  and  the  weather  daemon 
soon  to  be  specified)  becomes  more  detailed. 

Radar  Automaton:  CTAS  obtains  information  about  the  state  of  each  aircraft 
through  radar.  We  model  the  radar  by  a  hybrid  automaton  R  =  (Ur,  Xr,  Yr, 
E1r,  E1^1,  Eft1*,  Or,  Vr,  Wr).  The  input  variables  of  R  are  the  positions 
and  velocities  of  all  aircraft  (Ur  =  {pi,  v;}^)  while  the  output  variables  of  R 
are  estimates  of  these  quantities,  denoted  by  pi  and  Vi  (Yr  =  {pi,  Vi}f=1).  At 
this  stage  the  radar  automaton  is  assumed  to  have  no  input  or  internal  actions 

(£j?  =  Z'R  =0). 

The  information  that  the  radar  provides  about  the  aircraft  is  quantized  spa¬ 
tially  and  sampled  temporally.  We  assume  that  the  output  variables  of  the  radar 
automaton  fall  within  an  interval  centered  at  the  “correct”  values  dictated  by 
the  actual  state  of  the  system.  Let  np  £  R3  and  ny  €  R3  denote  the  width 
of  the  intervals  for  pi  and  respectively.  At  this  stage  we  assume  np  and  ny 
are  constant;  these  quantities  may  become  internal  variables  later  on,  to  model 
variations  of  the  accuracy  of  sensing  with  position  and  environmental  conditions, 
for  example.  The  output  variables  of  the  radar  are  updated  every  Tr  seconds, 
upon  the  occurrence  of  an  output  action  Sampler.  We  set  E™1  =  { Sampler }. 
An  internal  variable  Tr  €  R  keeps  track  of  the  time  that  has  elapsed  since  the 
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last  sample.  Tr  is  typically  of  the  order  of  a  few  seconds.  Once  values  for  np,  ny 
and  Tr  are  available  the  radar  automaton  will  be  completely  specified. 
Weather  Daemon:  CTAS  also  obtains  information  about  the  environmental 
conditions  in  the  vicinity  of  each  aircraft.  This  information  is  provided  by  a 
hybrid  automaton  D  =  (Ud,  Xd,  Yd,  El£,  Xl£t,  X0^1 ,  ©d,  T>d,  Wx>).  D  is 
very  similar  to  the  radar  automaton  R.  D  has  no  input  or  internal  actions 
(Eq  =  E'q*  =  0).  Its  input  variables  are  the  weather  conditions  at  the  location 
of  each  aircraft  (Ur  =  {w;}^)  and  its  output  variables  are  estimates  of  these 
quantities  denoted  by  Wi  (Yr  =  W{  are  quantized  to  within  nw  £  E4 

of  the  real  environmental  conditions  and  sampled  every  Tw  time  units,  upon  the 
occurrence  of  an  output  action  Samplew. 

The  FAST  Automaton:  The  FAST  algorithm  itself  will  be  encoded  by  a  hy¬ 
brid  automaton  FAST  =  ( U fast,  XpAST >  ^ FAST >  ^ FAST ’  ^ FAST ’  ^ FAST ’ 
©FAST’  ® FAST >  W FAST ')•  The  input  variables  of  FAST  are  the  output  vari¬ 
ables  of  the  radar  and  weather  daemon  automata  and  type  information  from 
the  aircraft  automata.  Overall,  UpAST  =  Tr  U  Yd  U  {  Typei}^=1 .  FAST  pro¬ 
vides  advisories  to  the  air  traffic  controllers  for  all  aircraft,  Yp^gp  =  {advi]f=l. 
An  internal  variable,  FAST.AC  C  {1, is  used  to  store  the  labels  of 
all  aircraft  currently  in  the  TRACON.  It  is  assumed  that  for  aircraft  not  cur¬ 
rently  in  the  TRACON  ( i  FAST-AC)  a  default  advisory  advi  =  ±  (unde¬ 
fined)  is  issued.  For  aircraft  in  the  TRACON,  the  nature  of  the  advisory  de¬ 
pends  on  the  version  of  FAST.  This  information  is  stored  in  an  internal  variable 
Version  £  {Active,  Passive}.  If  Version  =  Passive,  the  advisory  for  each  aircraft 
consists  of  a  runway  assignment  and  a  landing  sequence.  If  Version  =  Active, 
FAST  also  provides  heading,  altitude  or  speed  commands.  At  this  stage  we  model 
these  commands  as  a  position  in  the  x  —  y  plane,  P,  and  a  number,  V,  that  en¬ 
codes  a  desired  heading  altitude  or  speed;  the  interpretation  is  that  the  pilot  is 
asked  to  guide  the  aircraft  to  P  and  achieve  V  by  the  time  it  gets  there.  The  ad¬ 
visory  calculations  involve  the  degrees  of  freedom  available  to  each  aircraft  and 
are  restricted  by  sequencing  constraints  imposed  by  the  air  traffic  controllers. 
This  information  is  stored  in  internal  variables  dof{  and  Constraints.  Overall, 
X FAST  =  {CAST. AC,  Constraints,  Version}  U  {dofi}fL1. 

The  evolution  of  the  FAST  automaton  is  disrupted  by  input  actions.  After 
each  action  the  advisories  for  all  aircraft  currently  in  the  TRACON  are  recal¬ 
culated.  The  calculation  is  encoded  by  a  derived  variable  Calculate. Advisory. 
Input  actions  Sample T  and  Samplew  are  the  output  actions  of  the  radar  and 
weather  daemon  automata  respectively.  Their  role  is  to  recalculate  the  advi¬ 
sories  whenever  new  data  becomes  available.  Input  action  C enter. Handoff(i) 
occurs  when  aircraft  i  enters  the  TRACON.  It  represents  the  hand-off  of  air¬ 
craft  from  the  Center  to  the  TRACON  air  traffic  controllers  and  is  assumed  to 
be  the  output  of  a  hybrid  automaton  modeling  the  air  traffic  controllers.  The 
effect  of  Center JIandoff(i)  is  to  add  aircraft  i  to  the  list  of  aircraft  currently 
in  the  TRACON,  initialize  its  possible  degrees  of  freedom  and  recalculate  the 
advisories  for  all  aircraft.  The  degrees  of  freedom  are  initialized  according  to 
a  derived  variable  Default.dof(i),  whose  “output”  will  typically  depend  on  the 
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aircraft  type,  the  point  of  entry  into  the  TRACON,  the  weather,  etc. 

The  TRACON  air  traffic  controller  influences  the  evolution  of  FAST  through 
three  input  actions.  Using  action  Constrain.Order(i,j),  the  controller  can  force 
FAST  to  schedule  aircraft  i  before  aircraft  j.  The  effect  of  this  action  is  to  add 
(i,j)  to  the  list  of  sequencing  constraints  maintained  by  FAST  and  recalculate 
the  advisories.  Constrain.dof(i,  dof)  allows  the  controller  to  reduce  the  degrees 
of  freedom  that  FAST  considers  for  aircraft  i.  Upon  occurrence  of  the  action 
FAST  removes  the  specified  degree  of  freedom  from  the  list  dofi  and  recalculates 
the  advisories.  Finally,  the  action  Tower.Handoff(i)  occurs  when  aircraft  i  lands 
and  is  handed-off  to  the  tower  controllers.  The  effect  of  the  action  is  to  remove  i 
from  the  list  of  aircraft  currently  in  the  TRACON,  together  with  all  sequencing 
constraints  involving  i  on  the  remaining  aircraft.  The  advisories  for  the  remaining 
aircraft  are  recalculated. 

To  complete  the  description  of  the  FAST  automaton  we  need  to  provide 
expressions  for  the  derived  variables  Default. do f{i)  and  Calculate. Advisory.  The 
expressions  need  to  be  extracted  from  the  FAST  documentation. 

Air  Traffic  Controller  Model:  The  air  traffic  controllers  are  modeled  by 
a  hybrid  automaton,  ATC  =  (UATC,  XATC,  YATC,  ZATC,  Xjfoc'  SATC’ 
®ATC'  ^ ATC'  ^A TC> •  The  inputs  to  ATC  are  the  advisories  from  FAST 
as  well  as  all  the  information  available  for  each  aircraft.  Overall  UAj'(j  = 
{ advi ,  Typel,pi,vi,Wi}^Ll.  As  at  this  stage  we  are  only  concerned  with  the  FAST 
operation,  ATC  will  primarily  model  the  TRACON  air  traffic  controllers.  The 
only  function  of  the  Center  air  traffic  controllers  in  this  setting  is  to  feed  air¬ 
craft  into  the  TRACON,  by  executing  action  Center .Handoff(i).  We  assume 
that  the  Center  contains  a  number  of  aircraft,  whose  labels  are  stored  in  an 
internal  variable  Center. AC.  An  aircraft  gets  removed  from  this  list  and  is 
handed  off  to  the  TRACON  controller  upon  the  occurrence  of  output  action 
Center JIandoff(i).  The  precondition  of  the  action  is  a  boolean  derived  variable 
Center JIandoff.Condition(i) . 

The  TRACON  controller  may  choose  not  to  follow  a  particular  advisory  or 
to  follow  it  after  some  delay.  This  information  is  stored  in  the  boolean  internal 
variables  Followi  and  the  real  internal  variables  d,.  We  assume  that  the  controller 
keeps  track  of  the  previous  advisory  issued  by  CTAS  for  aircraft  i  in  an  inter¬ 
nal  variable  Old.Advisoryi.  Old-Advisory t  is  used  to  trigger  an  internal  action 
New.Advisoryi.  Upon  occurrence  of  the  action  the  controller  decides  whether 
the  new  advisory  will  be  followed  and  selects  a  delay.  If  the  controller  chooses 
to  follow  the  advisory,  the  speed,  altitude  or  heading  command  is  transmitted 
to  the  pilot  of  aircraft  i  after  a  delay  di,  upon  the  occurrence  of  an  output  ac¬ 
tion  Sendi .  If  the  controller  chooses  not  to  follow  the  advisory  or  if  FAST  is 
“passive”  the  transmitted  command  is  assumed  to  be  determined  by  a  derived 
variable  Independent.Choice(i).  Our  model  also  allows  controllers  to  issue  inde¬ 
pendent  commands  in  between  the  FAST  advisories,  whenever  a  boolean  derived 
variable  Independent.Choice.Condition(i)  becomes  true. 

The  controller  can  influence  FAST  through  actions  Constrain.Order(i,  j)  and 
Constrain.dof(i ,  dof).  The  preconditions  for  these  actions  are  encoded  by  boolean 
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internal  variables  Order. Condition(i,  j)  and  DOF.Condition(i,  dof).  We  assume 
that  the  controller  keeps  track  of  the  constraints  it  has  previously  issued.  This 
will  allow  us  to  make  the  controller  model  more  realistic  later  on  (for  example, 
require  that  the  controller  does  not  issue  contradictory  constraints).  Finally,  the 
TRACON  controller  decides  when  the  aircraft  has  landed  and  hands  it  off  to  the 
tower  controllers.  This  “action”  is  encoded  by  Tower.Handoff.  The  precondition 
for  this  action  is  a  boolean  derived  variable  Tower. Handoff.Condition(i). 

The  controller  model  requires  expressions  for  Center JHandoff .Condition^), 
Order.Condition(i,j),  DOF.Condition(i,  dof),  Independent.Choice.Condition(i), 
Independent.Choice(i)  and  Tower.Handoff.Condition(i) .  Obtaining  expressions 
for  these  variables  is  likely  to  be  a  major  challenge,  as  it  involves  understanding 
the  complicated  decision  making  process  of  the  human  air  traffic  controllers. 
To  start  the  safety  analysis  we  will  assume  that  FAST  is  active,  the  controller 
always  follows  the  proposed  advisories,  never  imposes  additional  constraints  and 
hands  off  the  aircraft  to  the  tower  at  the  runway  threshold. 

Communication  Channel:  Communicating  commands  to  the  pilots  is  achieved 
through  communication  channel  automata,  C,.  Each  automaton  has  an  input  ac¬ 
tion  Sendi (command),  whose  effect  is  to  store  the  command  together  with  a  time 
stamp  in  an  internal  multi-set.  The  message  is  delivered  (and  removed  from  the 
multi  set)  upon  occurrence  of  the  output  action  Receivei (command).  Delivery  is 
guaranteed  by  at  most  df  time  units  from  the  time  the  message  was  sent. 

Pilot  Model:  Finally,  the  pilot  is  modeled  by  a  hybrid  automaton  P2.  P*  accepts 
input  information  about  the  aircraft  and  the  air  traffic  controller  commands 
(obtained  through  the  input  action  Receivei  (command))  and  produces  input  a, 
for  the  aircraft  automaton.  Similar  to  the  air  traffic  controllers,  a  pilot  is  given  the 
freedom  to  ignore  an  ATC  command.  His/her  decision  is  stored  in  an  internal 
variable  Follov t$.  If  the  pilot  chooses  to  follow  a  particular  command  he/she 
responds  after  some  delay  (encoded  by  input  variable  df).  In  this  case,  a*  is 
chosen  according  to  a  derived  variable  Comply.  Otherwise,  Gq  is  chosen  according 
to  a  derived  variable  Not.Comply.  Expressions  for  these  derived  variables  are 
needed  to  complete  the  description  of  the  pilot  automaton.  These  expressions 
may  again  be  hard  to  obtain  as  they  involve  modeling  the  response  of  the  human 
pilots  and/or  the  autopilots. 

4  Safety  Notions 

The  performance  evaluation  of  large  scale  systems  like  CTAS  is  a  very  complex 
process.  Various  metrics  quantitatively  measure  system  performance  and  allow 
comparisons  between  different  designs.  The  three  most  prominent  performance 
areas  for  CTAS  are: 

—  Safety,  which  receives  top  priority 

-  Economic  considerations,  such  as  minimizing  fuel  and  operating  costs  as 
well  as  time  delays.  Other  considerations,  such  as  passenger  comfort  can  also 
be  included  in  this  category. 
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-  Reduction  of  controller  workload  and,  more  generally,  increasing  situa¬ 
tional  awareness  of  controllers. 

Even  though  all  three  aspects  of  the  system  performance  are  important,  and 
the  interaction  between  them  is  very  interesting,  here  we  will  concentrate  on 
questions  of  safety.  We  classify  of  safety  questions  into: 

-  Nominal  Safety:  considers  safety  under  nominal  conditions 

-  Robust  Safety:  questions  the  robustness  of  the  nominal  safety  claims, 

-  Structural  Safety:  questions  of  safety  under  structural  changes  in  CTAS 

-  Degraded  Safety:  considers  safety  questions  in  degraded  operation. 

The  above  classes  of  safety  measures  will  be  used  to  determine  not  whether 
CTAS  is  safe  but  whether  CTAS  is  safer  than  the  current  system.  The  outcome 
may  also  depend  on  the  metric  used.  For  example,  CTAS  may  be  safer  than  the 
current  system  under  nominal  operation  but  not  as  safe  in  degraded  operation. 

For  the  time  being  we  restrict  our  attentions  to  safety  questions  when  the 
system  operation  is  nominal  (in  a  sense  “perfect”).  We  assume  that  operation  is 
nominal  if: 

-  Nominal  CTAS:  We  start  with  fixed  and  reliable  version  of  the  CTAS 
algorithms. 

-  Faultless  Operation:  There  are  no  hardware  malfunctions,  no  emergency 
situations  (such  as  aircraft  low  on  fuel),  and  the  environmental  conditions 
are  benign. 

-  Accurate  Models:  The  models  used  by  CTAS  can  accurately  predict  air¬ 
craft  movement.  This  includes  the  aircraft  dynamical  models  and  the  weather 
models.  In  addition  there  is  no  uncertainty  in  sensors  or  parameters.  For 
nominal  analysis  both  controllers  and  pilots  can  be  modeled  by  a  variable 
delay  that  nondeterministically  takes  values  in  a  bounded  interval. 

Under  nominal  conditions  we  can  ask  the  following  very  precise  safety  questions 
which  can  be  thought  of  as  the  CTAS  nominal  safety  specification: 

-  Completeness:  Will  CTAS  issue  an  advisory  in  every  situation? 

-  Consistency:  Will  CTAS  issue  the  same  advisory  in  identical  situations? 
Consistency  is  related  to  controller  workload  since  system  predictability  in¬ 
creases  situational  awareness. 

-  Stability:  Are  the  CTAS  outputs  stable?  This  is  also  related  to  controller 
workload  since  advisory  changes  reduce  situational  awareness. 

-  Separation  Requirements:  Loss  of  separation  could  be  catastrophic  and 
cannot  be  tolerated. 

-  Implementability:  Are  the  CTAS  advisories  implementable?  Do  CTAS 
advisories  satisfy  constraints  imposed  by  aircraft  dynamics  (e.g.  stall  condi¬ 
tions)? 

-  Delay:  What  is  the  effect  of  delay  (in  the  radar,  weather  daemon,  controller 
and  pilot  responses)  in  the  system? 
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-  Capacity  Limits:  What  is  the  maximum  possible  TRACON  capacity  or 
runway  acceptance  rate  for  which  CTAS  can  maintain  safety?  This  is  related 
to  cost/benefit  analysis. 

The  above  list  of  high  level  CTAS  specifications  is  refined  to  the  lower  levels 
of  the  hierarchical  structure  shown  in  Figure  3,  to  derive  nominal  safety  speci¬ 
fications  for  the  CTAS  subsystems.  Specifications  at  the  level  of  TMA,  DA  and 
FAST  can  be  further  decomposed  into  specifications  for  lower  subsystems  and 
functions  (the  Route  Analyzer  (RA),  Trajectory  Synthesizer  (TS),  Profile  Se¬ 
lector  (PFS),  Dynamic  Planner  (DP),  etc.)  resulting  in  a  set  of  nominal  safety 
specifications  for  each  component. 


Whether  CTAS  satisfies  the  specifications  will  depend  on  the  initial  configu¬ 
ration  and  the  system  parameters.  Our  safety  analysis  methodology  for  nominal 
safety  will  determine  the  range  of  configurations  and  parameter  values  for  which 
the  CTAS  advisories  are  safe.  For  example,  this  will  involve  determining  the 
rate  at  which  FAST  can  accept  and  safely  land  aircraft  that  enter  through  the 
TRACON  gates,  for  a  given  runway  configuration.  As  the  flow  of  aircraft  to 
the  TRACON  gates  is  determined  by  the  Center  TMA,  the  TMA  must  in  turn 
guarantee  that  this  flow  constraint  is  not  violated.  Nominal  safety  notions  try  to 
determine  conditions  under  which  the  nominal  system  meets  the  desired  spec¬ 
ification.  In  general  the  more  relaxed  the  conditions  are,  the  safer  the  nominal 
system  is.  For  example,  if  CTAS  can  safely  handle  a  flow  rate  of  60  aircraft  an 
hour  in  the  TRACON  under  nominal  conditions,  then  it  is  likely  to  be  more 
robust  than  a  similar  system  that  can  safely  handle  50  aircraft  an  hour. 

Given  the  nominal  safety  specifications  for  the  various  CTAS  systems,  the 
next  three  classes  of  safety  notions  try  to  measure  the  effect  of  uncertainty, 
structural  changes  and  failures  to  the  nominal  safety  issues. 
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5  Conclusions 

In  this  paper,  a  framework  for  the  modeling,  specification  and  safety  analysis  of 
the  Center-TRACON  Automation  System  (CTAS)  is  proposed.  We  believe  that 
this  “system  theoretic”  perspective  can  prove  very  fruitful  not  only  for  the  CTAS 
problem,  but  also  more  generally  for  the  verification  of  complex,  hybrid  software 
systems  (see  for  example  [2]  for  the  application  of  this  methodology  to  the  Traffic 
Alert  and  Collision  Avoidance  System  (TCAS)).  The  discussion  presented  in  this 
paper  is  only  a  first  step  in  the  verification  process  of  CTAS.  Some  of  the  safety 
questions  we  formulate  are  challenging  and  may  require  extending  the  state-of- 
the-art  analysis  and  verification  techniques. 
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A  FAST  Automaton  Pseudo-Code 

Data  Types: 

Runways  =  {17L,  17R, . . .} 

Types  =  {Turbojet,  747,  DC  —  10, . . .} 

Aircraft  =  {l,...,JV}cN 

Commands  =  {(P,  V,K)}  with  P£R2,V£U,K£  {Heading,  Speed,  Altitude} 
Commandsx  =  Commands  U  {.L} 

Advisories  =  {(r,  s,  c)}  with  r  £  Runways,  s  €  {1,  -  -  • ,  N},  c  €  Commands^ 
Advisories x  =  Advisories  U  {.L} 

Weather  =  {(Wind,  Temperature)}  C  It4 


Variables: 

Input: 

Wi  €  Weather  for  all  i  £  Aircraft 
pi  £  R3  for  all  i  £  Aircraft 
Vi  £  R3  for  all  i  £  Aircraft 
Typei  £  Types  for  all  i  £  Aircraft 

Internal: 

FAST. AC  C  Aircraft,  initially  0 

dofi  C  DOF,  initially  0 

Constraints  C  Aircraft  x  Aircraft,  initially  0 

Version  £  {Active,  Pasive},  initially  arbitrary 

Output: 

advi  £  Advisoriesx  for  all  i  £  Aircraft,  initially  ± 

Derived: 

Default-dof(i)  c  DOF,  for  all  i  £  Aircraft 
Calculate-Advisory  £  Bool 

Actions: 

Input: 

e,  the  environment  action 

Center Jlandoff(i),  i  £  Aircraft 

Constrain-Order(i,  j),  i,j  £  Aircraft 

Constrain-dof(i,doi),  i  £  Aircraft,  dof  £  DOF 

Tower. Handoff(i),  i  £  Aircraft 

Samples 

Samplew 

Discrete  Transitions: 

e: 

Effect:  arbitrarily  reset  the  input  variables 
Center. Handoff{i)\ 

Effect: 
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FAST-AC  :=  FAST-ACi  U  {i} 
dofi  :=  Default. do f{i) 

for  j  €  FAST -AC,  choose  advj  so  that  Calculate-Advisory  becomes  true 
Constrain-Orderii,  j): 

Effect: 

Constraints  :=  Constraints  U  {(i,j)} 

for  j  £  FAST-AC,  choose  advj  so  that  Calculate-Advisory  becomes  true 
Constrain.dof(i,  dof): 

Effect: 

dof  ■=  dof  \  (dof) 

for  j  6  FAST-AC,  choose  advj  so  that  Calculate-Advisory  becomes  true 
Tower-Handofft  i ) : 

Effect: 

FAST-AC :=  FAST-AC\  {i} 
dof  :=  0 

Constraints  :=  Constraints  \  ({(i,j)}  U  {(j,i)}) 

for  j  €  FAST-AC,  choose  advj  so  that  Calculate-Advisory  becomes  true 
Sample s  and  Samplew: 

Effect: 

for  j  €  FAST-AC,  choose  advj  so  that  Calculate-Advisory  becomes  true 
Trajectories: 

Input  variables  follow  arbitrary  trajectories 
Output  variables  remain  constant 

Trajectories  stop  once  the  precondition  of  Tower-Handoff{i)  becomes  true 
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Abstract.  We  investigate  the  feasibility  of  computer-aided  deductive 
verification  of  hybrid  systems.  Hybrid  systems  are  modeled  by  phase 
transition  systems,  in  which  activities  specify  the  bounds  on  the  deriva¬ 
tives  of  the  continuous  variables.  We  present  a  method  for  invariant  gen¬ 
eration  based  on  static  analysis  of  the  phase  transition  system.  The  in¬ 
variants  produced  can  be  used  as  auxiliary  properties  in  the  verification 
of  temporal  properties.  We  show  that  in  some  cases  the  invariants  thus 
produced  suffice  to  prove  the  main  safety  property. 


1  Introduction 

Deductive  approaches  to  the  verification  of  hybrid  systems  have  been  studied 
extensively.  However  this  work  has  been  mostly  theoretical;  few  implementations 
exist  to  test  the  feasibility  of  these  approaches  on  practical  problems.  Some 
exceptions  are  [26]  and  [6]  where  PVS  is  used  to  verify  (part  of)  the  steamboiler 
challenge  problem  [1] . 

On  the  other  hand,  algorithmic  verification  methods  for  hybrid  systems, 
based  on  hybrid  automata  [2,  16],  and  implemented  in  the  tool  HyTech  [18] 
have  been  successfully  applied  to  many,  relatively  large  practical  examples,  for 
example  [20,  21].  However,  HyTech  is  applicable  only  to  rectangular  hybrid  au¬ 
tomata,  that  is,  systems  with  a  finite  control  structure,  in  which  the  derivative 
of  all  continuous  variables  either  is  constant  or  lies  in  an  interval  bounded  by 
constants.  Although  several  ways  have  been  identified  to  construct  conservative 
rectangular  approximations  of  systems  that  cannot  be  described  by  rectangu¬ 
lar  automata  [17,  19],  these  steps  may  be  informally  justified  and  thus  error 
prone.  Although  HyTech  is  able  to  do  parametric  analysis,  due  to  the  limita¬ 
tions  of  current  polyhedra  technology,  it  is  usually  restricted  to  systems  with  a 
few  parameters  unspecified;  it  expects  fixed,  explicit  values  for  the  rest  of  the 
parameters. 

*  This  research  was  supported  in  part  by  the  National  Science  Foundation  under 
grant  CCR-95-27927,  the  Defense  Advanced  Research  Projects  Agency  under  NASA 
grant  NAG2-892,  ARO  under  grant  DAAH04-95- 1-0317,  ARO  under  MURI  grant 
DAAH04-96- 1-0341,  and  by  Army  contract  DABT63-96-C-0096  (DARPA). 
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In  general,  algorithmic  methods  axe  preferable  whenever  they  are  applicable, 
because  they  are  fully  automatic.  However,  deductive  methods  are  applicable 
to  a  larger  class  of  systems,  and,  in  general  can  handle  systems  with  symbolic 
constants,  parameterized  systems,  and  nonlinear  systems.  The  price  of  the  gen¬ 
erality  of  the  deductive  approach  is  the  need  for  intermediate  assertions  and 
invariants  and  possibly  interactive  theorem  proving. 

In  this  paper  we  investigate  the  practical  aspects  of  the  deductive  verification 
of  hybrid  systems  by  presenting  a  prototype  implementation  of  a  tool  to  assist  in 
such  verification.  It  is  applicable  to  systems  with  infinite  control  structure  and  is 
not  limited  to  rectangular  hybrid  systems.  Our  approach  to  the  deductive  verifi¬ 
cation  of  hybrid  systems  is  based  on  the  formalism  of  phase  transition  systems, 
introduced  by  Manna  and  Pnueli  [22]  as  a  model  to  describe  hybrid  systems. 
Phase  transition  systems  are  an  extension  of  fair  transition  systems:  activities 
are  used  to  describe  how  continuous  variables  evolve  over  time,  and  a  progress 
condition  imposes  constraints  on  the  progress  of  time  under  various  conditions. 

Our  tool  is  implemented  as  part  of  the  STeP  (Stanford  Temporal  Prover) 
verification  system,  an  integrated  toolset  for  verifying  linear-time  temporal  prop¬ 
erties  of  reactive  systems.  STeP’s  deductive  methods  include  verification  rules 
and  verification  diagrams.  In  [22]  it  is  shown  that  phase  transition  systems  de¬ 
fine  an  associated  transition  system  that  has  the  same  set  of  behaviours.  In 
the  associated  transition  system  activities  are  translated  into  regular  transitions 
parameterized  by  their  duration.  This  correspondence  makes  STeP’s  deductive 
methods,  originally  developed  for  discrete  systems,  immediately  applicable  to 
hybrid  systems. 

STeP  also  provides  tools  for  the  automatic  generation  of  invariants.  STeP’s 
invariant  generation  methods  for  discrete  systems  are  described  in  [10],  while  [11] 
presents  a  method  applicable  to  real-time  systems.  Here  we  adapt  the  method 
for  real-time  systems  and  propose  an  additional  method  that  takes  advantage  of 
some  properties  of  activities.  We  show  that  for  some  systems  the  invariants  thus 
generated  are  sufficient  to  prove  the  properties  of  interest. 

2  Preliminaries 

2.1  Computational  Model:  Transition  Systems 

As  the  underlying  computational  model  for  verification  we  use  transition  systems 
[23].  A  transition  system  ^  =  (V,  &,  T)  consists  of 

-  V:  A  finite  set  of  typed  system  variables.  A  state  is  a  type-consistent  in¬ 
terpretation  of  the  system  variables.  The  set  of  all  states  is  called  the  state 
space,  and  is  designated  by  E.  We  say  that  a  state  s  is  a  p-state  if  s  satisfies 
p,  written  s  1=  p. 

-  <9:  The  initial  condition,  a  satisfiable  assertion  characterizing  the  initial 
states. 

-  T:  A  finite  set  of  transitions.  Each  transition  r  £  T  is  a  function 

t  :  E  >— >-  2s 

mapping  each  state  s  (E  E  into  a  (possibly  empty)  set  of  r-successor  states, 
r(s)  C  E.  Each  transition  r  is  defined  by  a  transition  relation  pr{V,V'), 
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a  first-order  formula  in  which  the  unprimed  variables  refer  to  the  values  in 
the  current  state  s,  and  the  primed  variables  refer  to  the  values  in  the  next 
state  s'.  Transitions  may  be  parameterized,  thus  simulating  an  infinite  set 
of  similar  transitions. 


Computations  A  computation  of  a  transition  system  $  =  ( V,0,T)  is  an 
infinite  sequence  of  states  a  :  So,  «i,  «2, . . such  that 

-  Initiation :  sq  is  initial,  that  is,  so  1=  0. 

-  Consecution:  For  each  j  =  0,1,.. .,  sy+i  is  a  r-successor  of  sj,  that  is,  Sj+\  £ 
r(sj)  for  some  r  £  T. 

A  computation  prefix  is  a  finite  sequence  of  states  that  satisfies  Initiation  and 
Consecution. 


2.2  System  Description:  Phase  Transition  Systems 

Transition  systems  are  not  a  very  convenient  formalisms  to  describe  hybrid  sys¬ 
tems,  because  of  the  discrete  nature  of  the  transitions:  transitions  update  the 
value  of  the  variables  in  a  discrete  manner,  rather  than  let  the  values  of  variables 
vary  continuously  over  time.  Therefore  we  use  phase  transition  systems  [22]  to 
describe  hybrid  systems.  The  phase  transition  system  presented  here  extends  the 
one  presented  in  [22]  with  differential  inclusions. 

A  phase  transition  system  (pts)  P  =  (V,&,T,A,  II)  has  the  same  compo¬ 
nents  as  a  transition  system  plus  two  additional  components  that  allow  us  to 
describe  how  continuous  variables  evolve  over  time.  First,  a  PTS  imposes  some 
additional  constraints  on  V,  0,  and  T : 

-  V :  The  set  of  system  variables  is  partitioned  into  a  set  V  of  discrete  variables, 
which  can  be  of  any  type,  a  set  C  of  clock  variables,  and  a  set  I  of  continuous 
variables  (also  known  as  integrators) .  All  variables  in  C  and  1  must  be  of 
type  real.  We  assume  that  the  set  of  clock  variables  includes  a  variable  T, 
called  the  masterclock.  The  masterclock  records  the  progress  of  global  time. 

-  0:  The  initial  condition  must  satisfy  0  — >  T  =  0. 

-  T :  The  transitions  in  T  are  considered  discrete  and  are  assumed  to  happen 
instantaneously;  therefore  we  require  that  no  transition  modify  the  master 
clock,  that  is,  for  every  transition  r  £  T  we  require: 

Pt{V,  V')  -h-T'—T  . 

The  new  components  in  a  PTS  are 

-  A:  A  finite  set  of  activities.  Each  activity  a  g  A  is  described  by  an  activity 
relation : 

pa  :  Pa  ->IS  =  Fa(V)  A  g  [W),W)] 

where  pa,  called  the  activation  condition,  is  a  predicate  over  V,  and  Z£U  1“  = 
X,  the  set  of  integrators.  X %  is  the  set  of  variables  for  which  the  derivative  is 
fully  specified  in  a,  while  the  derivatives  of  the  variables  in  Z“  are  specified 
by  differential  inclusions. 
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Activity  a  is  said  to  be  active  in  state  s  if  its  activation  condition  pa  holds 
on  s.  The  formula  T%  =  Fa(V)  stands  for 

=  If  (V),  for  i  =  1, . .  .m 

and  the  formula  2£  £  [if  (I7),  If  (l7)]  stands  for  the  differential  inclusion 

Xi  £  [F£(V), lfu(V)],  for  i  =  m  +  1, . .  .n 

where  {sq,  ...,xn}  —  X.  The  functions  Fff  specify  how  the  continuous  vari¬ 
ables  change  over  time  while  the  system  is  in  a  pa-state;  the  functions 
Ffi(V) ,  Ff’ffV)  are  a  lower  and  upper  bound  on  the  derivative  of  x,.  Each 
activity  must  specify  an  evolution  constraint  on  each  continuous  variable. 
We  assume  that  the  integral  of  each  Fa  is  well-defined  and  we  require  that 
Fa  does  not  depend  on  variables  specified  by  a  differential  inclusion. 
Activities  should  be  time-invariant,  that  is,  F°  cannot  explicitly  refer  to 
time  elapsed  since  the  start  of  the  activity.  This  condition  does  not  reduce 
the  expressiveness,  but  may  require  the  introduction  of  additional  variables. 
For  example,  to  specify  that  a  variable  x  varies  according  to  the  square 
root  of  time  in  some  activity,  we  cannot  say  x  —  \ft,  but  we  have  to  say 
x  =  ffy,  y  —  1.  The  reason  for  this  condition  is  to  make  sure  that  the  effects 
of  two  consecutive  ra  steps  are  the  same  as  the  effects  of  one  single  ra  step 
with  duration  the  sum  of  the  two  steps. 

To  ensure  that  the  phase  transition  system  is  time- deterministic  we  require 
that  the  activities’  activation  conditions  are  mutually  exclusive  and  exhaus¬ 
tive,  that  is  pa,  -+  -ipaj  for  oq  aii,  and  \j  a&Apa  must  hold  on  the 
reachable  states. 

-  17:  The  time-progress  condition.  An  assertion  over  V  used  to  specify  a  global 
restriction  over  the  progress  of  time. 


Associated  Transition  System  With  each  activity  a  £  A  we  associate  a 
parameterized  transition  r[A],  which  represents  an  infinite  set  of  transitions, 
one  for  each  possible  interval  duration  A.  We  refer  to  these  transitions  as  time- 
step  transitions:  these  are  the  only  transitions  that  can  advance  global  time.  If 
a  has  activity  relation 

Pa^iS  =  F°(v)  A  xze[Fr(v),F:(V)} 


the  transition  relation  of  ra[A ]  is  given  by 


( 


Prjzl]: 


A  >  0  A  pa  A  £>'=£>  A  C'  =  C+ A 
A 

If  =  IS  +  Ga(A) 

A 

X°  +  Gf{A)  <  IS'  A  If  <XS  +  GZ{A) 

A 

'IS  +G?{6)<E  A  E<  IS  +  GS(6) ' 


ME  £  3?  VJ  £  (0,  A}. 


\ 


n(V,C  +  6,XS  +  G°(6),E) 
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where 

Ga(5)=  f  Fadt,  G?(&)=  fS  Ffdt,  G*(S)=  f  Ffdt 

Jo  Jo  Jo 

and  II(V,C,1%,1°)  is  the  progress  condition. 

In  words,  each  time-step  transition  rQ[zi]  is  a  transition  that  is  enabled  if  it 
has  a  positive  time  duration  A,  its  activity  condition  pa  holds,  and  the  progress 
condition  holds  throughout  the  interval  (0,  A]  for  all  values  of  the  derivatives 
of  the  variables  in  Iff.  It  is  assumed  that  during  this  interval  all  continuous 
variables  evolve  according  to  the  derivatives  specified  in  the  activity  relation,  all 
clocks  increase  uniformly  with  time,  and  all  discrete  variables  stay  the  same.  If 
the  transition  is  taken,  the  values  of  the  variables  in  the  successor  state(s)  are 
constrained  by  the  primed  expressions  in  the  transition  relation. 

The  progress  condition  is  similar  to  the  tcp  predicate  introduced  in  [24]:  it 
constrains  the  time  that  the  system  can  reside  in  a  particular  configuration. 

The  phase  transition  system  T  =  (V,  O,  T,  A,  II)  defines  the  associated  tran¬ 
sition  system  <P  =  (V,  0,  Tjf),  where 

Th  =  TuTa,  where  Ta  =  {ra[Zi]  |  a  £  A,  A  €  SR+} 


Computations  A  computation  of  a  PTS  is  an  infinite  sequence  of  states 
<j  :  So,  Si,  S2, . . .,  such  that 

-  <r  is  a  computation  of  <P,  where  I>  is  the  associated  transition  system  defined 
by  (F,  and 

-  Time  Divergence :  the  value  of  the  masterclock  T  grows  beyond  any  bound, 
that  is,  the  sequence  s0[T],  si[T], . . .  grows  beyond  any  bound. 

A  hybrid  system  is  called  non-Zeno  if  every  finite  sequence  of  states  that  is 
a  computation  prefix  of  the  associated  transition  system  can  be  extended  into  a 
computation.  In  this  paper  we  restrict  ourselves  to  non-Zeno  systems. 

2.3  Verification  of  safety  properties 

A  safety  property  is  a  property  expressible  by  a  formula  of  the  form  □  p,  for  a 
past  temporal  formula  p  (see  [23]  for  definitions  of  past  formula  and  the  semantics 
of  □).  This  includes  invariances,  where  p  is  an  assertion.  In  this  case  the  formula 
states  that  p  should  be  true  in  every  accessible  state  of  the  system. 

Because  of  the  possibility  to  associate  a  transition  system  with  a  phase  tran¬ 
sition  system,  many  verification  rules  presented  in  [23]  can  be  reused  for  the 
verification  of  phase  transition  systems.  In  this  paper  we  will  use  the  invariance 
rule  INV,  shown  in  Figure  1,  to  prove  some  properties  of  hybrid  systems.  These 
rules  reduce  the  system  validity  of  a  temporal  formula  to  the  general  validity  of 
a  set  of  first-order  verification  conditions.  In  the  rules  {<pj  r  {ip}  stands  for  the 
formula 

(<p(V)APr(V,V'))-+  1P(V')  ,  VA.{iP{V)*pT[A]{V,V,))^iP{V')) 
for  a  regular  and  a  parameterized  transition  r,  respectively. 
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For  PTS  &  and  assertions  ip,  p, 

II  ■’r-±p 

12.  9  -j-  p 

13.  {*>}  r  {^}  for  each  r  €  7h 
if  t =  Dp 


Fig.  1.  Invariance  rule  INV 


We  say  that  an  assertion  p  is  inductive  for  a  hybrid  system  system  !?  if  □/> 
can  be  proved  using  rule  INV  with  ip  equal  to  p  (that  is,  p  holds  initially  and 
is  preserved  by  every  transition).  If  these  verification  conditions  can  be  proved 
assuming  a  set  of  properties  5,  we  say  that  p  is  inductive  relative  to  S. 

3  STeP 

The  Stanford  Temporal  Prover,  STeP,  is  a  tool  for  the  deductive  and  algorithmic 
verification  of  reactive  systems  [8,  9,  11]. 

STeP  implements  verification  rules  and  verification  diagrams  for  deductive 
verification.  A  collection  of  decision  procedures  for  built-in  theories,  including 
integers,  reals,  datatypes  and  equality  is  combined  with  propositioned  and  first- 
order  reasoning  to  simplify  verification  conditions,  proving  many  of  them  au¬ 
tomatically.  For  those  that  cannot  be  established  automatically,  an  interactive 
Gentzen-style  theorem  prover  is  available.  Features  such  as  parameterization 
and  transitions  originating  from  activities  introduce  quantifiers  in  verification 
conditions.  Fortunately,  the  required  quantifier  instantiations  are  often  “obvi¬ 
ous”  in  that  they  use  instances  that  can  be  provided  by  the  decision  procedures 
themselves.  Accordingly,  an  integration  of  first-order  reasoning  and  decision  pro¬ 
cedures  was  developed  that  can  automatically  discharge  many  verification  con¬ 
ditions  that  would  otherwise  require  the  use  of  the  interactive  prover  [12] . 

To  enable  symbolic  manipulation  of  first-order  formulas  in  the  theory  of  real 
closed  fields,  we  are  planning  to  integrate  STeP  with  REDLOG  [13],  a  package 
that  forms  a  front-end  to  the  computer  algebra  system  REDUCE  [14].  Some  of 
the  verification  conditions  generated  by  the  case  studies  reported  in  this  paper 
were  proved  automatically  by  a  version  of  REDLOG  made  available  on  the  web. 

4  Generation  of  Invariants 

STeP  provides  tools  for  automatic  generation  of  invariants  based  on  static  anal¬ 
ysis  of  transition  systems  for  reactive  systems  [10]  and  real-time  systems  [11]. 
These  invariants  are  invaluable  as  auxiliary  properties  in  deductive  verification. 
We  will  describe  two  techniques  for  automatically  generating  invariants  for  hy¬ 
brid  systems. 

For  a  PTS  &  —  {V,  0,  Td-.A,  II),  and  associated  transition  system  #  = 
(V,  0,  Th),  define 

Posto(X)  =  \J  post(r.X).  PostA(X)  —  \J  post(r.X) 

t£Td  tSTh-Td 
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where 

post{r,X)  =  3^°  .  X{V°)  Apr(V°,  V) 
and  for  a  parameterized  transition  r[A] 

post(r,X)  =  3A,  V°  .  X(V°)A  pT[A](V°,V) 

Thus,  PostoiX)  characterizes  all  the  states  that  can  be  reached  from  a  state 
satisfying  X  by  a  discrete  transition,  and  Post^iX)  characterizes  all  the  states 
that  can  be  reached  from  a  state  satisfying  X  by  a  time-step  transition. 


Invariant  1  The  first  invariant  is  similar  to  that  described  in  [11]  for  real-time 
systems. 

Inv i  :  Q  V  Post d (true)  V  Post^  (true) 

Inv i  characterizes  the  set  of  states  that  is  either  an  initial  state  or  can  be  reached 
by  either  a  discrete  transition  or  a  time-step  transition,  starting  from  anywhere 
in  the  state  space.  It  is  not  hard  to  see  that  Inv i  is  an  invariant  of  'I . 

As  we  may  want  to  apply  an  invariant  to  every  verification  condition,  it  is  de¬ 
sirable  to  minimize  the  number  of  quantifiers  it  contains.  In  STeP  the  existential 
quantifiers  generated  for  the  discrete  transitions  axe  used  with  universal  force 
when  appearing  in  assumptions  and  are  mostly  eliminated  by  STeP’s  simplifier. 
Similar  to  [11]  we  can  approximate  PostA.(true)  by  the  progress  condition  II, 
since 

post (ra, true)  =  3A,V0,C°,10  .pTa[A](V°,V) 

is  equivalent  to 


paA3A 


( 


3I“° 


V 


o 

A 

/  If  +  Gf(A)  <  X £  A  IS  <Xf  +  G°(A) 

A 

(  If  +  Gf  (5)  <  E  A  E  <  If  +  GZ(8) 
V£,«S€  (0,A]  (  — f 

V  \n(V,C  +  6-A,12  +  Ga(6)-Ga(A),E) 


\ 

\ 

/  / 


by  taking  P°  =  V,  C°  =  C  —  A  and  Xf  =  X%  —  Ga(A),  which  in  turn  implies 


PaAn(v,c,xad,xf 


by  taking  8  =  A  and  E  —  Xf  and  thus  we  have 

Post A  n(V,C,XfXf 


as  required. 

In  [7]  and  [25]  a  similar  method  is  used  for  the  generation  of  invariants  for 
untimed  programs  and  hardware  respectively. 
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Invariant  2  The  second  invariant  takes  advantage  of  the  time-invariance  prop¬ 
erty  of  activities.  Time  invariance  ensures  that  the  possible  effects  of  taking  two 
successive  ra  transitions  of  duration  Ai  and  A2  are  the  same  as  taking  one  ra 
transition  of  duration  Ai  +  A2,  that  is 

Pr o,  [^1]  0  pra  [^2]  =  Pra  [^1  +  ^2] 

Based  on  this  property  we  can  claim 

Claim  1  Given  a  phase  transition  system  $  =  {V,6,T,A,  II),  the  following  is 
an  invariant  of  I: 

Inv2  ■  ©  V  Post£>(true)  V  Post A(PostD (true)  V  0) 

Justification:  Assume,  by  contradiction,  that  there  is  some  state  s  that  is 
accessible  in  a  computation  of  but  does  not  satisfy  Inv 2.  Clearly  s  cannot  be 
an  initial  state  or  the  result  of  a  discrete  transition,  so  it  must  be  the  final  state 
of  a  time-step  transition,  ra[A],  Let  s°  be  the  state  from  which  ra  was  taken. 
Clearly  s°  cannot  be  the  result  of  a  discrete  transition,  or  an  initial  state,  so  it 
must,  like  s,  be  the  final  state  of  a  time-step  transition,  rQl .  However,  rQl,  where 
ni  ^  a  cannot  be  followed  immediately  by  ra ,  by  the  requirement  that  pai  A pa 
be  unsatisfiable,  that  the  activation  conditions  only  depend  on  discrete  variables, 
and  that  a  time-step  transition  cannot  modify  any  discrete  variables;  two  distinct 
time-step  transitions  always  have  to  be  separated  by  a  discrete  transition.  Thus 
s°  must  be  the  final  state  of  another  time-step  transition  ra[Ai\.  However,  by 
time  invariance,  the  effect  of  Ta[A-{\  followed  by  ra[A\  is  the  same  as  taking 
the  single  time-step  transition  ra[Ai  +  A];  repeating  the' same  argument  for  the 
starting  state  of  Ta[A\]  we  can  conclude,  by  induction,  that  ra[A]  cannot  be 
preceded  by  another  ra  time-step  transition. 

In  the  following  section  we  will  see  that  this  invariant  is  strong  enough  to 
prove  the  safety  property  of  the  water-level  monitor. 

5  Example 

We  verified  several  (symbolic  versions)  of  the  case  studies  reported  in 
the  HyTech  literature.  Translation  from  a  hybrid  automaton  [16]  to  a 
phase  transition  system  is  straightforward.  Given  a  hybrid  automaton  %  = 
{X,(V,  E),init,  inv,  flow,  jump)  where  A  is  a  set  of  variables,  (V,E)  a  set  of 
nodes  and  edges,  init  a  mapping  from  nodes  to  assertions  denoting  the  initial 
condition,  inv  a  mapping  from  nodes  to  assertions  denoting  node  invariants, 
flow  a  mapping  from  nodes  to  relations  over  X  U  X  specifying  the  derivatives 
of  the  continuous  variables,  and  jump  a  mapping  from  edges  to  relations  over 
X  U  X'  denoting  the  discrete  transitions,  the  corresponding  phase  transition 
system  is  I'  =  (X  U  {s},0,T,A,  II),  where  s  is  a  new  (discrete)  variable  with 
domain  V, 

©  =  \J  (s  —  v  A  init[v)), 

t/gV 

T  =  {r  \  pr  =  jump(e)  A  e  £  E], 
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A  =  {a  |  pa  =  (s  =  v  — ¥  flow(v ))  A  v  6  V}, 

II  =  yy  s  =  v  — >  ini)(v)  . 
t/gV 


5.1  Water-level  monitor 

To  illustrate  our  methods  we  will  describe  the  verification  of  the  water-level 
monitor  system  shown  in  Figure  2,  taken  from  [3];  its  description  as  a  hybrid 


Fig.  2.  Water-level  monitor  system 


automaton  is  shown  in  Figure  3,  and  its  description  as  a  phase  transition  system, 
as  entered  in  STeP  is  shown  in  Figure  4.  The  system  consists  of  a  watertank 


Fig.  3.  Water  level  monitor  -  hybrid  automaton 
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Hybrid  Transition  System  Waterlevel  Controller 

type  valveStates  =  {on,  switching-off , off , switching-on} 

in  min_y,  max.y  :  real  where  min.y  <=  max.y 
in  low.y:  real  where  low_y  >=  min.y 

in  high.y:  real  where  high.y  <=  max.y  A  high.y  >  low.y 
in  delay:  real  where  delay  >  0 

in  rate.in, rate jDUt :  real  where  rate.in  >  0  /\  rate_out  <  0 

local  s  :  valveStates  where  s  =  on 
clock  x  where  x  =  0 
continuous  y  where  y  =  low_y 

Progress 

(s  =  on  — >  y  <=  high_y)  A 

(s  =  switching_of  f  — >  x  <=  delay)  A 

(s  =  off  — >  y  >=  low.y)  A 

(s  =  switchingjon  — >  x  <=  delay) 

Transition  switch_off: 

enable  s  =  on  /\  y  =  high.y 
assign  s  :=  switchingjoff ,  x  :=  0 

Transition  isoff: 

enable  s  =  switch.ing.off  A  x  =  delay 
assign  s  :=  off,  x  :=  0 

Transition  switch.on: 

enable  s  =  off  A  y  =  low.y 
assign  s  :=  switching-on,  x  :=  0 

Transition  ison: 

enable  s  =  switchingjon  A  x  =  delay 
assign  s  :=  on,  x  :=  0 

Activity  Aon: 

enable  s  =  on  \/  s  =  switching-off 
assign  Deriv(y)  :=  rate.in 

Activity  Aof f : 

enable  s  =  off  \/  s  =  switchingjon 
assign  Deriv(y)  :=  rate.out 


Fig.  4.  The  Waterlevel  Controller  phase  transition  system 
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that  supplies  water  to  a  customer  at  a  constant  rate.  The  level,  y,  in  the  tank 
is  controlled  by  a  controller,  which  observes  the  level  via  a  level  sensor.  When 
the  level  drops  below  lowy,  the  controller  starts  a  pump  to  refill  the  tank,  and 
when  the  level  rises  above  highy  the  pump  is  turned  off  again.  When  the  pump 
is  on,  the  level  rises  with  rate  rate^n ,  when  the  pump  is  off,  the  level  drops  with 
rate  rateout-  However,  there  is  a  time  delay  of  delay  seconds  between  the  time 
the  controller  sends  the  signal  to  the  pump  and  the  time  the  flow  is  established 
or  the  pump  is  stopped 

The  property  we  want  to  prove  about  this  system  is  that  the  level  stays 
between  a  lower  and  upper  limit,  expressed  by  the  linear- time  temporal  logic 
formula 

safe  :  □  (miny  <  y  A  y  <  maxy ) 

assuming  there  is  sufficient  margin  between  maxy  and  highy,  and  between  miny 
and  lowy,  expressed  by  the  axioms 

max y  >  highy  4-  rate,„  *  delay 
miny  <  lowy  +  rateout  *  delay 


Not  surprisingly,  the  property  safe  is  not  inductive,  that  is,  after  application 
of  rule  INV,  taking  <p  =  p,  all  first-order  verification  conditions  simplify  to  true 
automatically  except  those  for  Aon  and  Aoff,  which  in  fact  are  not  valid.  Rather 
than  trying  to  strengthen  the  property  to  make  it  inductive,  we  generate  the 
invariants  described  in  Section  4. 

We  first  generate  Post q  (true),  which  results  (after  simplification)  in 


Posti)(true)  : 


r  =  0A 


(  s  =  on  V  s  =  off  '' 

V 

lowy  =  y  A  s  —  switching-on 

V 


\  highy  =  y  A  s  =  switching-off ) 


and  we  use  this  to  generate  PostA(Post£>  V  0),  resulting  in 


PostA(Post[)V& )  : 


(  x  >  0  \ 

A 

(s  =  off  — ►  lowy  <  y) 

A 

(s  =  on  — >  y  <  highy) 

A 

((»  =  switching-on  V  s  =  switching-off)  —yx<  delay) 

A 

/  s  =  off  V  s  =  on  \ 

V 

s  =  switching-on  A  y  --  lowy  +  rateout  ■  x 

V  ' 

y  =  switching-off  A  y  = +  rate, n  J 
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Taking  the  disjunction,  we  obtain  the  invariants  we  need  to  make  the  property 
safe  inductive: 

s  =  switching-on  — >  y  =  lowy  +  rateout  ■  x  A  x  <  delay 
s  =  switching-off  -+  y  =  highy  -+-  rate,-n  •  x  A  x  <  de/ay 
x  >  0 

With  these  invariants  the  two  remaining  verification  conditions  simplify  to  true, 
where  some  of  the  non-linear  clauses  were  proved  by  REDLOG  [13]. 

Note  that  the  system  verified  here  cannot  be  verified  by  the  current  version 
of  HyTech  due  to  the  use  of  symbolic  constants  for  rate  constants  which  results 
in  non-linear  terms. 


5.2  Other  Systems  Verified 

Other  systems  verified  using  STeP  include  the  temperature  controller  [2],  the 
railroad  crossing,  the  three  versions  of  the  nuclear  reactor  (clock  translation,  lin¬ 
ear  approximation,  and  rectangular  approximation)  [5],  and  the  cat  and  mouse 
example  [22].  In  most  of  these  systems  the  automatic  invariant  generator  gen¬ 
erated  some  of  the  required  invariants,  but  the  user  had  to  supply  additional 
invariants  to  make  the  main  safety  property  inductive.  Verification  of  the  above 
systems  with  symbolic  constants  instantiated  with  numbers  were  mostly  au¬ 
tomatic,  apart  from  providing  some  invariants  not  provided  by  the  automatic 
invariant  generator.  Verification  of  these  systems  with  symbolic  constants  gen¬ 
erally  required  some,  usually  trivial,  user  guidance  in  the  interactive  theorem 
prover.  More  examples  of  hybrid  systems  verified  with  STeP  will  appear  on  the 
STeP  webpage:  http://rodin.stanford.edu/. 

6  Conclusion 

We  demonstrated  the  feasibility  of  computer-aided  deductive  verification  of  hy¬ 
brid  systems.  We  verified  with  STeP  symbolic  versions  of  (admittedly  small) 
examples  previously  verified  by  HyTech.  The  verification  of  the  symbolic  ver¬ 
sions  usually  required  some  user  interaction,  the  verification  of  the  instantiated 
systems  (that  is,  the  systems  verified  by  HyTech)  was  mostly  automatic  (apart 
from  providing  some  invariants).  Currently  the  main  limitation  is  the  lack  of 
decision  procedures  for  real  arithmetic,  which  makes  it  necessary  to  prove  some, 
mathematically  trivial,  first-order  verification  conditions  interactively,  which  is 
tedious.  Hopefully  this  problem  will  be  ameliorated  with  the  integration  of  RED- 
LOG. 

Considering  that  the  current  implementation  is  still  rather  limited,  our  pre¬ 
liminary  results  suggest  a  high  potential  for  deductive  methods  for  the  verifica¬ 
tion  of  hybrid  systems. 

Acknowledgements:  We  thank  Xikolaj  Bjorner  and  Tomas  Uribe  for  their 
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Abstract.  The  paper  considers  an  important  class  of  hybrid  dynamical 
systems  called  differential  automata.  A  differential  automaton  is  said  to 
be  reducible  if  its  dynamics  can  be  described  by  some  discrete  automaton 
with  a  finite  number  of  states.  Our  main  results  show  that,  under  certain 
general  assumptions,  any  differential  automaton  is  reducible.  Further¬ 
more,  we  prove  that  any  reducible  differential  automaton  can  be  repre¬ 
sented  as  a  union  of  a  finite  number  of  differential  automata  with  simple 
cyclic  dynamics.  Moreover,  we  show  that  the  differential  automaton  has 
a  periodic  trajectory  corresponding  to  each  of  this  cyclic  automata. 

For  planar  differential  automata,  we  derive  an  analog  of  the  classic  Poincare- 
Bendixon  theorem. 


1  Introduction 

Hybrid  dynamical  systems  (HDS)  have  attracted  considerable  attention  in  re¬ 
cent  years  (see,  e.g.,  [1,  2,  3]).  In  general,  HDS  are  those  that  combine  continuous 
and  discrete  behavior  and  involve,  thereby,  both  continuous  and  discrete  state 
variables.  In  many  cases  (but  not  always),  such  systems  operate  as  follows.  While 
the  discrete  state  remains  constant,  the  continuous  one  obeys  a  definite  dynami¬ 
cal  law.  Transition  to  another  discrete  state  implies  a  change  of  this  law.  In  its 
turn,  the  discrete  state  evolves  as  soon  as  a  certain  event  occurs  with  both  the 
evolution  and  the  event  depending  on  the  continuous  state. 

A  typical  hybrid  system  is  a  logical  discrete-event  decision-making  system 
interacting  with  a  continuous  time  process.  A  simple  example  is  a  home  climate- 
control  system.  Due  to  its  on-off  nature,  the  thermostat  is  modelled  as  a  discrete- 
event  system,  whereas  the  furnace  or  air-conditioner  are  modelled  as  continuous¬ 
time  systems.  Some  other  examples  concern  vehicle  transmission  systems  and 
stepper  motors,  computer  disk  drivers,  robotics  systems,  higher-level  flexible 
manufacturing  systems,  intelligent  vehicle/highway  systems,  sea/air  traffic  ma¬ 
nagement  systems  as  well  as  various  systems  with  relays,  switches,  and  hysteresis 
(see,  e.g.,  [1-9]). 

Numerous  attempts  have  been  made  recently  to  develop  a  general  approach 
to  analysis  and  design  of  hybrid  control  systems.  (See,  e.g.,  [1,  2,  3]  and  the 
literature  therein.)  One  of  the  ideas  employed  was  that  of  algebraic  reduction  to 
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a  finite-state  automaton  [4,  11,  12].  It  proceeds  from  the  fact  that  the  relevant 
dynamics  of  certain  discrete  events  associated  with  the  system  can  be,  in  some 
cases,  described  with  such  an  automaton.  Roughly  speaking,  this  means  that 
the  discrete  component  of  the  dynamics  can  be  studied  independently  of  the 
continuous  one.  In  its  turn,  this  is  a  key  to  the  analysis  of  the  dynamics  in 
full.  The  above  approach  was  so  far  justified  for  and  most  fruitfully  applied  to 
relatively  simple  HDS  called  timed  automata  [11,  12]  as  well  as  special  flow 
models  of  manufacturing  systems  (see,  e.g.,  the  switched  server  system  example 
in  [10]). 

In  this  paper,  the  problem  of  the  algebraic  reducibility  is  considered  for  a 
quite  general  model  of  HDS  called  a  differential  automaton  (DA).  This  model 
was  introduced  in  [13]  to  describe  various  control  systems  with  hysteresis.  Under 
more  general  assumptions,  it  covers  a  fairly  larger  variety  of  HDS  including  those 
with  sliding-mode  phenomena  [15,  16].  DA  is  studied  in  a  bounded  connected 
invariant  domain.  The  main  goal  of  the  paper  is  to  demonstrate  that  the  algebraic 
reducibility  follows  directly  from  several  general  dynamical  properties  of  the 
system  such  as  well-posedness,  absence  of  singular  points  on  the  surfaces  where 
the  discrete  states  changes  and  some  other  ones.  More  precisely,  whenever  these 
properties  hold,  the  discrete  state  untimed  behavior  is  governed  by  a  finite  state 
automaton. 

The  algebraic  reducibility  not  only  means  that  the  dynamical  behavior  of 
the  discrete  state  is  quite  simple  but  also  often  constitutes  a  breakthrough  to 
analysis  of  the  dynamics  in  full.  To  illustrate  this,  it  is  shown  in  Section  4  that, 
under  an  additional  assumption,  the  above  invariant  domain  necessarily  contains 
a  trajectory,  which  is  periodic  in  both  the  continuous  and  the  discrete  states. 
Another  example  is  given  in  Section  5  where  an  analog  of  the  classic  Poincare- 
Bendixon  theorem  [22,  p.295]  is  established  for  planar  DA.  Though  the  focus  on 
two  dimensional  HDS  is  a  severe  restriction,  they  have  attracted  considerable 
attention  recently.  A  very  special  example  of  such  system  (i.e.,  the  so-called 
three  buffer  switched  arrival/server  system)  was  investigated  in  [10,  17,  18,  19]. 
The  emphasis  was  to  distinguish  between  the  cases  when  the  dynamics  is  chaotic 
and,  respectively,  when  any  trajectory  converges  to  a  limit  cycle.  In  [20],  an  affine 
HDS  was  investigated.  Such  system  consists  of  a  partition  of  the  Euclidian  space 
into  a  finite  set  of  polyhedral  regions.  Within  each  region,  the  dynamics  is  defined 
by  a  constant  vector  field.  Discrete  transitions  occur  only  on  the  boundaries 
between  regions.  Certain  reachibility  problem  was  studied  with  the  main  result 
being  a  decision  procedure  for  two-dimensional  systems.  In  [21],  a  generic  class 
of  planar  HDS  was  considered.  It  was  shown  how  the  complexity  of  such  system 
can  be  reduced  to  a  one-dimensional  transformation  by  inducing  the  system  onto 
a  set  of  curves  and  certain  properties  of  the  induced  system  was  investigated.  In 
Section  5,  we  establish  an  analog  of  the  Poincare-Bendixon  theorem  for  a  quite 
general  model  of  a  discontinuous  planar  HDS.  More  precisely,  it  is  shown  that 
some  general  dynamical  properties  of  the  system  imply  that  the  dynamics  is 
nonchaotic. 

The  body  of  the  paper  is  organized  as  follows.  Section  2  contains  basic  as- 
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sumptions  and  definitions.  A  necessary  and  sufficient  criterion  for  DA  to  be 
well-posed  is  also  given  here.  In  Section  3,  we  present  the  main  results.  In  par¬ 
ticular,  we  show  that  DA  can  be  decomposed  into  a  finite  number  of  DA  such 
that,  for  any  of  them,  the  dynamics  of  the  discrete  state  is  governed  by  a  simple 
finite  state  automaton.  In  Section  4,  we  establish  existence  of  periodic  trajecto¬ 
ries.  Section  5  contains  an  analog  of  the  classic  Poincare-Bendixon  theorem. 

The  following  notations  are  adopted  throughout  the  paper.  {pi,...,ps}  is 

the  set  consisting  of  the  elements  listed.  En  is  equipped  with  the  Euclidean 

norm  denoted  as  |  ■  j.  Let  K  C  ln  and  E  C  K  be  given.  The  symbol  E 

_ 

stands  for  the  relative  closure  of  E  in  K,  i.e.,  E  is  the  set  of  all  points  a  £  K 
that  can  be  approached  a  =  lim^oo  a*  by  a  sequence  {a»}  C  E.  Likewise, 
int kE  if  the  relative  interior  of  E  in  K,  i.e.,  intjf  E  consists  of  all  points  a  £  E 
such  that,  along  with  a,  the  set  E  contains  all  neighboring  points  a'  £  K  : 
a1  £  Kk\a'  —  a\  <  e  =>  a'  £  E  foi  some  e  >  0.  The  symbol  8kE  denotes 
the  relative  boundary  of  E  in  K,  i.e.,  the  collection  of  all  points  from  E  that 
do  not  belong  to  int  if  E.  If  K  =  ln,  the  index  K  is  dropped  in  the  notations 
int # E,  E  ,  3ifE. 


2  Basic  assumptions  and  definitions 


Consider  the  following  model  of  HDS  called  a  differential  automaton  [13] 

x(t)  =  f[x(t),q(t)},  (2.1) 

q(t  +  0)  =  ip[x(t),q(t)}.  (2.2) 

Here  x(t)  £  E"  and  q{t)  £  Q  are,  respectively,  the  continuous- valued  and  the 
discrete  states,  Q  is  a  finite  set  of  discrete  states,  and  /(-)  :  En  x  Q  — >  M n,tp  : 
E 71  x  Q  — >■  Q  are  given  functions.  Assume  that  this  system  satisfies  the  following 
assumptions  A.1J-A.5). 

A.l)  For  each  p  £  Q,  the  function  f{-,p )  :  E"  — >  Rn  is  continuously  differ¬ 
entiable.  Any  solution  x(-)  of  the  equation  x(t)  =  f[x(t),p\,t  >  0  can 
be  extended  on  the  interval  [0,  +oc)  and  |ar(f)|  — ¥  oo  ns  t  -4  oc.  For  any 
p,q  €  Q,p  ^  q,  the  set  Tp-+q  {x  :  <p(x,p)  =  q}  is  closed. 

This,  in  particular,  implies  that  the  set 


Hp  :=  {x  :  ip(x,p)  =  p}  = 


X  £ 


X  £ 


U 

qAp 


(2.3) 


is  open  for  all  p  £  Q.  It  also  means  that  the  dynamics  within  a  given  discrete 
state  is  simple.  (We  assume  this  for  the  sake  of  simplicity.)  The  next  assump¬ 
tion  resembles  the  nonsingularity  one  from  the  theory  of  differential  equations 
with  discontinuous  righthand  sides  [14].  This  assumption  stipulates  that  the  vec¬ 
tor  fields  are  not  tangent  to  the  surfaces  of  discontinuity  points.  So  far  as  the 
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boundary  dTp^q  is  not  required  to  be  smooth  now,  we  need  a  more  complicated 
formulation. 

For  any  a,  h  £  En,r,  p  >  0,  denote  by  k?(a.  h)  the  cone  with  the  vertex  a 
and  the  axis  h  defined  as  k^(a,  h)  {x  £  i"  :  x  =  a  +  t(h  +  A)  for  some  0  < 
t  <tj,\A\  <  r}  and  say  that,  at  the  point  a,  the  vector  h  looks  at  a  set  G  C  E  ”  if 
k?(a,  h)  C  G  for  some  r),  r  >  0.  By  this  definition,  the  vector  h  does  so  whenever 
a  is  an  interior  point  of  G. 

A.2)  For  any  p,q  £  Q,p  ^  q,  and  a  £  dTp^q,  the  vector  f(a,p)  looks  at  Tp->q 
whenever  it  does  not  look  at  Hp. 

If  the  boundary  <9TP_>9  is  a  C'1-surface,  this  assumption  merely  means  that  the 
vector  f(a,p)  is  not  tangent  to  dTp^q  at  the  point  a. 

There  are  several  definitions  of  the  solution  of  the  system  (2.1),  (2.2)  in 
the  literature  (see,  e.g,  [13,  15,  16]).  The  natural  definition  [13]  by  which  the 
solution  is  a  pair  of  functions  [m(-),  ^(-)]  satisfying  (2.1)  and  (2.2)  serves  the 
simplest  case  when  p[a,  p{a,p)]  =  p(a,p)  (i.e.,  a  £  Hv^atP))  Va,p.  In  general,  the 
map  p  <pa{p)  '■=  p(&,p)  can  exhibit  a  whole  chain  of  possible  instantaneous 
transitions  of  the  discrete  state  for  given  a  =  x(t)  and  p  =  q(t) 

P=-Pi  &  P2  &  P3  ^  ‘feps-  (2-4) 

(The  chain  is  interrupted  at  the  largest  index  s  such  that  pi  ^  pj\/i  ^  j,  i,  j  <  s .) 
Associated  with  this  case  are  alternative  definitions  [15,  16].  They,  in  particular, 
take  into  account  that,  if  there  exist  cyclic  points,  i.e.,  points  a  6  1“  for  which, 
in  (2.4),  s  >  2  and  pa(ps)  =  Pi,  sliding-mode  effects  may  occur  [16].  Further,  we 
shall  study  the  system  (2.1),  (2.2)  in  a  domain  Ac®"  and  restrict  ourselves 
to  the  case  when 

A. 3)  there  are  no  cyclic  points  in  K. 

This,  in  particular,  excludes  sliding-mode  phenomena  and  ensures  that,  in  (2.4), 
PaiPs)  —  Ps  Va  €  K,p  €  Q.  Furthermore,  we  assume  that  the  system  must  not 
perform  all  the  chain  (2.4)  of  instantaneous  transitions  but  may  leave  it  after 
any  transition.  So  (2.2)  is  to  be  replaced  by 

q(t  +  0)  €  #  [x(t),q(t)}  where 

$(a,p)  :=  jp'  €  Q  :  p'  =  (p)  for  some  k  =  1,2, . . .  j 

and  ^  :=  pa  0  ■  •  •  °  Pa  is  the  A;-th  iteration  of  the  map  pa-  As  a  result,  we 

k  times 

arrive  at  the  following 

Definition  1.  A  pair  of  functions  [£(•),<?(•)]  ,x(-)  :  A  — ►  E ",?(•)  :  A  -f  Q 
(where  A  is  an  interval)  is  called  the  trajectory  of  the  system  (2.1),  (2.2)  if  the 
function  x(-)  is  absolutely  continuous,  the  function  q(-)  is  piece-wise  constant 
and  left-continuous,  equation  (2.1)  is  true  for  almost  all  t  £  A,  and  (2.5)  is  valid 
for  all  f  €  A,  t  ^  sup{#  :  d  G  A}. 
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A.4)  The  set  K  is  hounded,  closed,  connected,  and  invariant,  i.e.,  any  trajectory 
[x(-),  </(•)]  with  x(0)  €  K  remains  in  K  for  t>  0. 

The  last  assumption  will  be  well-posedness,  which  means  that  a  small  pertur¬ 
bation  of  the  initial  data  causes  only  a  small  perturbation  of  the  trajectory  on 
any  bounded  time  interval.  We  introduce  two  definitions  of  well-posedness.  The 
first  one  focuses  on  the  continuous  state  and  formally  permits  the  discrete  state 
to  be  perturbed  arbitrarily.  The  second  one  forbids  this. 

Definition  2.  The  system  (2.1),  (2.2)  is  said  to  be  x-well  posed  (well  posed)  on 
K  if,  for  each  trajectory  [x(-),  </(■)] , 0  <  t  <  r  with  x(0)  £  K  and  any  e  >  0, 
there  exists  S  >  0  such  that  any  trajectory  [y(-),p(')]  starting  in  p(0)  =  q(0) 
and  2/(0)  £  K  with  \y(0)  -  x(0)|  <  6  can  be  defined  on  [0,  r]  and  remains  in  the 
e-neighborhood  of  the  original  continuous  state  \y(t)  —  x(t)\  <  e  Vt  £  [0,r]  (as 
well  as  mes  {t :  p(t)  £  q(t)}  <  e  in  the  case  of  well  posedness). 

Here  and  throughout,  the  symbol  mes£  stands  for  the  Lebesque  measure  of 
the  set  E. 

Lemma3.  Suppose  that  Assumptions  A.l)  —  A.4)  hold  and,  for  any  p,r  £ 
Q,p  7^  r,  the  differential  equations  x  =  f(x,p),x  =  f(x,r)  have  no  common 
integral  curves  intersecting  K.  Then  the  system  (2.1),  (2.2)  is  x-well  posed  on 
K  if  and  only  if  it  is  well  posed  on  K. 

A. 5)  The  system  (2.1),  (2.2)  is  well  posed  on  K. 

This  ensures  that  this  system  is  deterministic  on  K,  i.e.,  any  initial  data  x(0)  £ 
K,  q( 0)  £  Q  gives  rise  to  an  unique  trajectory.  We  close  the  section  with  a  cri¬ 
terion  for  Assumption  A.5)  to  be  fulfilled.  Recall  that  the  symbol  8kE  denotes 
the  relative  boundary  of  a  set  E  C  K  in  K. 

Theorem 4.  Suppose  that  Assumptions  A.l)  —  A.4)  hold.  Then  the  following 
statements  A)  and  B)  are  equivalent. 

A)  The  system  (2.1),  (2.2)  is  well  posed  on  K. 

B)  For  any  p,q  €  Q,p  ^  q,  and  a  £  8k  [Tp_>g  n  K], 

B.l)  the  vector  f(a,p )  looks  at  Tp_>q  at  the  point  a 

provided  p  £  <pa(Q);  otherwise, 

B.2)  for  any  e  >  0,  there  exists  6  >  0  such  that  the  solution  z(-)  =  zp(-\a')  of 
the  Cauchy  problem  z  =  f(z,p),z( 0)  =  o'  starting  in  o'  £  K  n  HP  with 
|  a'  —  a  |  <  6  reaches  Tp—yq  no  later  than  at  the  time  instant  t  =  e. 

Remark.  B.l)  =>•  B.2).  If  zp(t\a)  £  K  Vt  £  [0,7/]  for  some  r)  >  0,  then 

B. l)  B.2). 

The  property  A.5)  is  fairly  co-related  with  A.3)  so  far  as  a  cyclic  point 
may  cause  a  chaos  on  a  bounded  time  interval.  To  elucidate  this,  employ  the 
three  buffer  switched  arrival  system  example  from  [10].  In  other  words,  con¬ 
sider  DA  (2.1),  (2.2)  with  x  =  (xi,X2,X3 ),Q  =  {l,2,3},/(x,i)  :=  where 
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fi  ■■=  (2/3, -1/3, -1/3 ),/2  :=  (-1/3, 2/3, -1/3), /3  :=  (-1/3, -1/3, 2/3),  and 
ip(x,i)  :=  i  —  1  if  xj^i  <  0,  tp(x,i)  :=  i  —  2  if  x^  >  0  and  XJ^2  ^  0>  ot^‘ 

erwise,  ip(x,i)  :=  i.  Here  j  :=  j  for  j  >  1,0  :=  3,  and  ^1  :=  2.  In  cor¬ 
respondence  with  [10],  let  us  focus  attention  on  the  planar  invariant  domain 
if  :=  {x  :  Xj  >  0,  Xi  +  X2  +  x3  =  1}  (see  fig.l). 

a 2  (*2  =  i)  o 2 


'  h  \Xr 

""K^  \ 


Oi  (ii  =  1) 


U3  (13  =  1) 


Fig.l  Fig. 2 

Within  the  discrete  state  i,  the  vector  x  £  K  evolves  with  the  velocity  fi.  As 

soon  as  it  touches  the  edge  Xj  (j  ^  i)  of  the  triangle  K,  the  state  i  switches  to 
j.  This  rule  is  deterministic  except  for  the  vertices  of  K  where  a  cyclic  change 
of  discrete  states  is  offered  (e.g.,  3h>2— >1— »2at  the  vertex  a3).  In  [10],  a  tra¬ 
jectory  was  assumed  to  terminate  whenever  it  arrives  at  a  vertex.  Fig.2  depicts 
an  infinite  family  of  trajectories  starting  in  q(0)  =  2,  x(0)  =  bk,  k  =  0, 1, . . ..  The 
part  of  the  trajectory  until  the  fall  on  the  edge  Xx  is  depicted  with  a  dotted 
line.  Then  every  trajectory  runs  along  a  part  of  a  common  path  depicted  with  a 
broken  line.  Choose  a  point  p  on  the  perpendicular  02,  o.  Let  k  -»  00.  Then  the 
points  bk  and  c*  approach  h  and  the  vertex  02,  respectively,  and  x(T)  (where 
T  :=  (|a2  —  h\  4-  2|a2  —  PD/I/2I)  converges  to  the  point  g  of  the  intersection  of 
the  above  path  with  the  perpendicular  5  to  02 ,  o.  Obviously,  any  point  g1  £  S 
can  be  supplied  with  a  sequence  of  initial  states  {b'k}  C  B  such  that  b'k  —y  h  and 
x(T)  — >  g'  as  k  — >  00.  Then  the  initial  states  bk  and  b'k  are  arbitrarily  close  to  h 
and  to  each  other  provided  k  is  large  enough  while  the  corresponding  states  at 
t  =  T  are  not.  This  means  that,  on  the  bounded  time  interval  [0,  T],  the  behavior 
of  the  system  is  chaotic  in  the  sense  that  the  trajectory  is  infinitely  sensitive  to 
the  perturbation  of  the  initial  data  in  the  vicinity  of  h.  In  view  of  this,  it  does  not 
come  as  a  surprise  that  the  behavior  of  the  system  on  the  infinite  time  interval 
is  also  chaotic  as  shown  in  [10].  Certainly,  not  any  cyclic  point  gives  rise  to  a 
chaos.  A  criterion  to  distinguish  between  those  exhibiting  and  not  exhibiting  a 
chaos  may  be  a  topic  for  a  separate  research.  In  this  paper,  we  omit  this  and  do 
not  deal,  thereby,  with  cyclic  points  at  all. 


3  Decomposition  of  hybrid  dynamical  systems 

In  this  section,  the  interest  is  focused  on  decomposition  to  DA  for  which  the  only 
possible  behavior  of  the  discrete  state  is  to  repeat  a  fixed  chain  of  transitions 
Pi  |— t  P2  •  •  •  i-t  ps  1— >  Pi, Pi  ^  Pj  Vi  7 £  j,i,j  <  s.  It  is  convenient  to  identify 
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such  chain  with  any  its  cyclic  shift  in  the  index.  After  this,  it  can  be  given  by 
a  pair  [C, »?(•)]  where  C  =  {pi,...,ps}  and  the  map  ??(■)  :  C  ->  C  indicates 
what  state  follows  any  p  €  C,  i.e.,  =  Pi+i,i  =  l,...,s  —  1  ,p(ps)  =  Pi- 

Taking  into  account  an  obvious  property  of  the  map  rj(-)  results  in  the  following 
definition. 

Definitions.  A  pair  [C',p(-)]  is  called  a  cycle  in  Q  if  C  C  Q,C  ^  0, p(-)  : 
C  -»  C,  and,  for  each  p  €  C**,  the  sequence  p,r)(jp), .  •  •  ,p(A:_1)(p)  ranges  over 
all  elements  in  C  and  rjf®  (p)  =  p.  Here  k  is  the  number  of  elements  in  C  and 
is  the  j- th  iteration  of  the  map  ri(-). 

Definition  6.  A  differential  automaton  is  said  to  be  d-autonomous  if  either 
< p(x,p )  =  p  or  <p(x,p)  =  rj(p)  Vx  £  E  n,p  £  Q  where  7?(-)  :  Q  ->  Q  is  a  map. 

Definition?.  DA  is  said  to  be  cyclic  if  it  is  d-autonomous  and  [Q,r)(-)]  is  a 
cycle. 

For  a  d-autonomous  DA  and  any  its  trajectory,  the  discrete  state  transitions 
Po  Pi  P2  •  ■  ■  (pj  #  Pj+i)  (3-6) 

are  independent  of  the  continuous  state***  and  form  an  orbit,  i.e.,  Pi+ 1  = 
T\{pi).  If  the  system  is  cyclic,  the  discrete  state  q  first  runs  over  Q  in  accordance 
with  the  map  r?(-),  then  returns  to  po,  and,  further,  merely  repeats  the  above 
chain  of  transitions.  Underscore,  that  whole  pieces  p*  pm  of  the  chain 

(3.6)  may  be  run  through  instantaneously  and  this  chain  may  be  finite  in  general. 
Let  we  be  given  several  DA 


Xi(t)  =  fi[xi(t),qi(t)],  qi(t  +  0)  =  (Pi[xi{t),qi(t)]  (3.7) 

(i  =  1, with  the  common  continuous  state  space  Mn  and  diverse  discrete 
state  ones  qi(t)  €  Qi. 

Definitions.  The  system  (2.1),  (2.2)  is  called  the  union  of  DA  (3.7)  on  the 
domain  K  C  En  if  Q  =  <2iU. .  .U Qi,  the  sets  Qi  do  not  overlap  QiDQj  =  0,  i  ^  j, 
the  domain  K  is  invariant  for  both  DA  (2.1),  (2.2)  and  any  system  (3.7),  and, 
in  (2.1),  (2.2), 

f(x,p)  =  fi(x,p),  tp(x,p)  =  ipi(x,p)  Vz  £  K,p  £  Qi,i  =  1,...,L  (3.8) 

If  the  system  (2.1),  (2.2)  is  the  union  of  DA  (3.7),  the  set  J  of  all  the  trajectories 
[z(-), <?(•)]  of  the  system  (2.1),  (2.2)  starting  with  x(0)  £  AT  is  splitted  into  l 
pairwise  disjoint  groups  J  =  J\  U  . . .  U  Ji  where  Ji  is  the  analogous  set  for  DA 
(3.7). 

**  It  suffices  to  verify  this  property  only  for  some  p  6  C. 

***  which  affects  only  the  time  instants  of  transitions 
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Definition  9.  Let  only  two  DA  (3.7)  be  given  (i.e.,  i  =  1,2  in  (3.7)).  The  second 
of  them  (corresponding  to  i  =  2)  is  said  to  convert  on  K  into  the  first  one  in 
course  of  time  if  Q\  C  Q 2,  any  trajectory  of  the  first  DA  is  a  trajectory  of 
the  second  DA,  and,  conversely,  there  exists  an  instant  T  >  0  such  that  any 
trajectory  of  the  second  DA  starting  with  a:(0)  £  K  is  a  trajectory  of  the  first 
one  in  the  time  domain  t>T. 

This  means  that,  if  one  considers  all  trajectories  [:r(-),  #(•)],  f  >  0  starting  with 
i(0)  £  K  and  restricts  any  of  them  on  the  time  interval  [T,  +00),  the  resultant 
set  of  restricted  trajectories  is  common  for  the  both  DA  whereas  the  first  of 
them  is  a  ”  subautomaton”  of  the  second  one. 

The  following  theorem  is  the  main  result  of  the  section. 

Theorem  10.  Suppose  that  Assumptions  A.l)  —  A. 5)  hold.  On  the  domain  K, 
DA  (2.1), (2. 2)  can  be  represented  as  a  union  of  a  finite  number  of  d- autonomous 
DA  each  converting  on  K  into  a  cyclic  DA  (3.7)  (where  i  =  1, ...  ,1)  in  course 
of  time.  The  number  l  of  these  cyclic  DA  as  well  as  the  cycle  Ci  = 
related  to  any  of  them  are  determined  uniquely  (up  to  re-arranging  in  the  index 
i).  All  the  above  auxiliary  DA  can  be  chosen  so  that  they  satisfy  Assumptions 
A.l)  —  A. 5). 


Definition  11.  Any  of  the  above  cycles  c*  is  said  to  be  fundamental  for  the 
invariant  connected  domain  K. 

It  follows  from  this  theorem  that,  for  any  trajectory  0  =  [a:(-),g(-)]  ,a:(0)  £  K 
of  the  original  system  (2.1),  (2.2),  the  discrete  state  q  evolves  periodically  since 
some  time  instant.  To  explain  this  in  more  details,  consider  such  trajectory.  The 
full  record  (3.6)  of  all  the  transitions  experienced  by  the  discrete  state  is  called 
the  discrete  path  of  the  trajectory*.  To  proceed,  we  need  several  properties  of 
trajectories.  They  are  revealed  by  the  following  lemma. 

Lemma  12.  Suppose  that  Assumptions  A.l)  —  A. 5)  hold.  For  any  a  £  K  and 
p  €  Q,  the  trajectory  of  the  system  (2.1),  (2.2)  starting  in  x(0)  =  a,  g(0)  =  p  can 
be  defined  on  [0,  +00)  and  is  unique.  Furthermore,  its  discrete  path  is  infinite, 
i.e.,  the  discrete  state  makes  infinitely  many  transitions  on  the  infinite  time 
interval  [0,+oo).  At  the  same  time,  it  makes  only  a  finite  number  of  transitions 
on  any  finite  time  interval. 

Revert  now  to  the  foregoing  trajectory  0 .  By  Theorem  10,  there  exists  an 
instant  T  >  0  such  that  0  is  a  trajectory  of  some  cyclic  DA  (3.7)  in  the  time 
domain  t  >  T.  Choose  any  transition  pk  >-+  Pk+i  from  (3.6)  that  occurs  at  an 
instant  t  >T.  Then  the  chain  pk  pk+ 1  evidently  obeys  the  cycle  c,  — 

[1 Ci ,  r]i(-)]  related  to  the  above  cyclic  DA  (3.7),  i.e.,  pj  £  Ci,pj+ 1  =  pipj)  Yj  >  k. 
This  yields  that  the  discrete  path  (3.6)  does  become  periodic. 

*  If  the  states  a  :=  x(t)  and  p  :=  q(t)  give  rise  to  a  whole  chain  (2.4)  of  instantaneous 
transitions  at  a  moment  t,  all  the  transitions  from  (2.4)  that  occur  in  fact  must  be 
included  in  (3.6). 
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By  Theorem  10,  analysis  of  the  dynamical  behavior  of  DA  (2.1),  (2.2)  in 
the  invariant  domain  K  can  be  reduced  to  that  concerning  several  cyclic  DA. 
In  its  turn,  any  of  them  can  be  studied  via  reduction  to  discrete-time  systems 
yi+ 1  =  g{yi),i  =  1,2,...  Indeed,  let  [Q,  /?(•)]  be  the  cycle  associated  with  this 
cyclic  DA.  Choose  and  fix  a  discrete  state  po  £  Q  and,  for  any  y  E  K,  put 
g(y)  :=  x(ti\y,po)  where  Db,r  =  [m(-16, r), g(-|b, r)]  is  the  trajectory  starting 
in  x(0\b, r)  =  b,q(0\b,r)  =  r  and  t\  is  the  least  instant  t  >  0  such  that  po  ^ 
Q(t\y>Po)  7 ^  git  +  Ojy,po)  and  the  chain  (2.4)  generated  by  p  :=  q(t\y,po)  and 
a  :=  x(t\y,po)  contains  p0.  The  set  E  {t  >  0  :  p0  ±  q(t\y,p0)  ^  q{t  +  0|y,po) 
and  the  chain  (2.4)  generated  by  p  :=  q(t\y,po)  and  a  :=  x(t\y,po)  contains  po] 
is  countable  and  has  no  accumulation  points  due  to  Lemma  12,  A. 3),  A. 4),  and 
the  definition  of  cyclic  DA.  So  E  =  {tj }  ,=1  where  tj  <  tj+i  and  tj  ->  oo  as 
j  — >  oo.  Since  the  system  is  deterministic  on  K,  we  have  Pj+i  =  g(yj)  where 
yj  :=  x(tj),j  =  1, 2, ...  So  the  behavior  of  trajectories  S  a,Po  as  t  ->■  oo  is  fairly 
co-related  with  that  of  trajectories  {yj}  of  the  system  yj+i  =  g(yj)  as  j  ->  oo. 

Analysis  of  this  system  necessarily  employs  certain  properties  of  the  function 
g(-).  The  following  theorem  yields  easily  that,  under  the  circumstances,  this 
function  is  at  least  continuous.  It  also  demonstrates  that  well-posedness  in  the 
sense  of  Definition  2  implies  well-posedness  in  a  far  stronger  sense. 

Theorem  13.  Suppose  that  Assumptions  A.l)  -  A. 5)  are  valid  and  p  E  Q  is 
given. 

The  discrete  path  {pj}Jl0  of  the  trajectory  h  a>p  =  [x(-\a,p),q(-\a,p)]  is  in¬ 
dependent  of  a  E  K.  Given  a  E  K  and  j  =  1,2,...,  denote  by  Tj(a)  the  time 
instant  when  the  system  starting  in  x(0)  =  a,q{ 0)  =  p  makes  the  transition 
Pj-i  i->  pj.  Then  the  functions  tj(-)  :  K  -t  [0,  -t-oo),  j  =  1, 2, . . .  are  continuous 
and 

q(t\a,p)  =  pj  Vt  €  (Tj(a),Tj+i (o)]  ,o  £  K,j  =  0, 1, . . .  (t0(o)  :=  0),  (3.9) 

maxte[ 0,a]  \x(t\a',p)  -  x(f|a,p)|  ->-0  n, 

as  a'  ->  a,  a'  EK  for  all  X  >  0,  a  E  K.  K  > 

4  Existence  of  periodic  trajectories 

As  an  example  of  employing  the  above  reduction,  we  establish  existence  of  peri¬ 
odic  trajectories  for  the  system  (2.1),  (2.2).  On  contrary  to  Section  3,  now  we  are 
interested  in  trajectories  that  are  periodic  in  not  only  the  discrete  but  also  the 
continuous  state.  It  will  be  shown  that  such  trajectories  exist.  Moreover,  among 
them,  there  necessarily  are  those  with  relatively  simple  structure.  To  this  end, 
we  start  with  an  insight  on  the  structure  of  periodic  trajectories. 

Assume  that  Assumptions  A.l)  -  A. 5)  are  fulfilled.  Let  5  =  [m(-),  g(-)]  be 
a  periodic  trajectory  with  x(0)  E  K  and  T  be  its  least  period,  i.e.,  T  :=  inf  {T  : 
T  >  0 ,x(t  +  T)  =  x(t),q(t+T )  =  q(t)  Mt  >  0}.  (Here  T  >  0,  because,  otherwise, 
q(-)  =  p  —  const  and  the  periodic  function  x(-)  would  satisfy  the  equation 
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x  =  f(x,p )  in  violation  of  A.l).)  The  discrete  path  p0  h*  pi  1-4  . . .  h*  ps 
of  this  trajectory  on  the  interval  0  <  t  <  T  is  finite  by  Lemma  12.  Due  to 
Theorem  10,  it  obeys  some  fundamental  cycle  \C,  rj(-)]  of  the  domain  K,  i.e., 
Pi  £  C  Vi,pi+ 1  =  T)(pi),i  =  0, —  1.  Periodicity  and  A.l)  imply  that  the 
above  path  is  composed  of  k  >  1  complete  runs  through  that  cycle.  The  periodic 
trajectory  is  said  to  be  elementary  (for  the  invariant  domain  K )  if  k  =  1  for  it. 
For  such  trajectory,  the  least  period  of  the  discrete  state  alone  evidently  equals 
the  above  period  T.  So  is  the  least  period  of  the  continuous  state  if,  for  any 
p,r  £  Q,p  r,  the  equations  x  =  f(x,p),  x  =  f(x,  r)  have  no  common  integral 
curves  intersecting  K. 

Theorem  14.  Suppose  that  Assumptions  A.l)  —  A. 5)  hold  and  the  domain  K 
is  homeomorphic  ( see  [22,  p.188]  for  the  definition)  to  a  closed  ball.  Then  the 
domain  K  contains  an  elementary  (for  K)  periodic  trajectory  8  =  [x(-),  <?(•)] , 
x(t)  £  K  Vf  >  0.  Moreover,  for  any  fundamental  cycle  c  =  [C,  p(-)]  of  the 
domain  K,  there  exists  an  elementary  periodic  trajectory  8  that  lies  in  K,  i.e., 
x{t)  £  K  \/t  >  0,  and  obeys  this  cycle,  i.e.,  pj  £  C,pj+ 1  =  ri(pj),j  =  0,1,... 
where  {pj}  is  the  discrete  path  of  8  . 

5  An  analog  of  the  Poincare-Bendixon  theorem 

In  this  section,  we  consider  the  planar  system  (2.1),  (2.2),  i.e.,  x(t)  £  ®2  in 
(2.1),  (2.2).  Suppose  that  the  system  satisfies  Assumption  A. 2)  in  the  following 
strengthened  form  A.6)  and  the  following  additional  assumption  A.7)  is  also 
valid.  Recall  that  the  symbol  8k E  stands  for  the  relative  boundary  of  a  set 
EcKinK. 

A.6)  Forp,  r  £  Q,p  ^  r,  and  a  £  3k  (Tp^rC\K),  one  of  the  vectors  f(a,p),  —f(a,p) 
looks  at  Hp  {x  :  ip(x,p)  =  p}  with  the  other  looking  at  Tp~,r  at  the  point 
a. 

A.7)  The  domain  K  is  closed.  Given  p,r  £  Q,p  /  r,  the  set  Tp-+T  :=  {x  : 
<p(x,p)  =  r}  is  closed.  Its  relative  boundary  dK{Tp^rC\K)  can  be  partitioned 
into  a  finite  set  &  P-+T  of  compact  segments  of  C1  -smooth  non-selfcrossing 
curves  so  that  no  more  than  two  segments  have  a  common  point  and  any 
two  segments  either  do  not  intersect  or  have  a  common  end-point  and  are 
transversal.  Any  two  segments  corresponding  to  different  pairs  (p,r )  and 
( p',r ')  are  either  disjoint  or  transversal  at  any  common  point  or  lie  on  a 
common  C 1  -smooth  curve. 

The  main  result  of  the  section  is  a  necessary  and  sufficient  criterion  for  the 
system  (2.1),  (2.2)  to  exhibit  a  simple  dynamics  on  the  invariant  domain  K. 
Roughly  speaking,  the  simple  dynamics  is  a  nonchaotic  dynamics  like  that  de¬ 
scribed  in  the  classic  Poincare-Bendixon  theorem  [22,  p.295].  However,  unlike 
this  theorem,  stationary  points  are  impossible  under  the  circumstances.  (They 
are  impossible  within  a  given  discrete  state  because  of  A.l)  and  within  a  sliding 
mode  since  it  cannot  occur  due  to  A.3),  see  [16]  for  details.)  In  the  absence  of 
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stationary  points,  the  Poincare-Bendixon  theorem  states  that  any  trajectory  of 
a  stationary  ordinary  differential  equation  either  1)  is  periodic  or  2)  converges 
to  one  of  no  more  than  countably  many  limit  cycles.  (Recall,  that,  in  general, 
periodic  trajectories  may  fill  certain  domains.)  For  the  system  (2.1),  (2.2)  the 
phenomenon  1)  can  appear  in  more  general  fashion.  A  trajectory  can  be  nonpe¬ 
riodic  but  become  periodic  since  some  time  instant  (so  far  as  the  system  is  not 
deterministic  with  respect  to  the  backward  direction  of  time  in  general).  Fur¬ 
thermore,  the  simplicity  of  the  dynamics  is  supposed  to  mean  that,  for  periodic 
trajectories,  the  variety  of  possible  discrete  state  behaviors  is  finite.  This  con¬ 
cerns  trajectories  that  are  periodic  both  precisely  and  approximately.  To  precise 
details,  introduce  the  following  definition. 

Definition  15.  Let  5  =  [m(-) , «?(-)]  be  a  trajectory  defined  on  an  interval  A. 
The  sequence  {p^}  of  values  taken  by  the  discrete  state  q  =  q(t)  while  t  runs 
increasingly  through  A  is  called  the  symbolic  range  of  the  trajectory  5  . 

Unlike  the  notion  of  the  discrete  path,  the  discrete  states  through  which  q(j 
runs  instantaneously  are  not  taken  into  account  now. 

The  symbolic  range  of  a  periodic  trajectory  b  on  (0,  +oo)  results  from  pe¬ 
riodic  repetition  of  its  symbolic  range  <rd  =  (po,  ■  ■  ■  ,Pk)  on  (0,T]  where  T  >  0 
is  the  least  positive  period.  The  property  in  question  means  that  the  variety  of 
symbolic  ranges  ad  of  periodic  trajectories  is  finite. 

In  the  Poincare-Bendixon  theorem,  the  limit  cycle  is  treated  geometrically  as 
a  curve  in  K 2 .  Correspondingly,  the  convergence  to  it  means  that  the  distance 
to  the  curve  converges  to  the  zero.  Because  of  the  discrete  state,  it  is  convenient 
now  not  to  employ  geometrical  treatment  but  to  define  the  convergence  to  a  limit 
cycle  in  terms  of  the  periodic  trajectory  related  to  it.  In  doing  so,  it  must  be 
taken  into  account  that  the  converging  and,  respectively,  limit  trajectories  must 
not  become  synchronous  as  t  — >  oo.  Let  b  =  [m(-) ,  <?(•)]  be  a  periodic  trajectory 
with  the  period  T  >  0.  We  say  that  a  trajectory  [?/(•), ;>(•)], f  €  [0,oo)  converges 
to  b  as  t  — >  oo  if  there  exists  a  sequence  {t*}  C  (0,  +00)  such  that  t»+i  —  t*  — >  T 
as  i  — >  00  and 


maxte[0,A]  | y(t  +  r<)  -  rr(f)|  ->  0, 
mes  {t  £  [0,  A]  :  p(t  +  n)  ±  g(f)}  0 


as  i  -¥  00  VA  >  0.  (5-11) 


Here  and  throughout,  mesU  stands  for  the  Lebesque  measure  of  a  set  E.  Note 
also  that,  under  the  circumstances,  the  trajectory  starting  with  x(0)  €  K  can 
be  defined  on  [0,  +00)  and  is  unique. 

Definition  16.  The  system  (2.1), (2. 2)  is  said  to  exhibit  a  simple  periodic  dy¬ 
namics  on  K  if 


i)  there  exists  no  more  than  a  countable  set  of  periodic  trajectories  lying 
in  K  such  that  any  trajectory  b  starting  in  K  either  is  periodic  for  t  >T d 
(where  the  time  Td  may  depend  on  b  in  general)  or  converges  to  some 
trajectory  from  ip  and  never  becomes  periodic  itself; 
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ii)  there  exists  a  time  T»  >  0  such  that,  for  any  trajectory  lying  in  K,  its 
symbolic  range  {pj}  on  the  time  interval  [T„,  oo)  is  periodic  (in  the  index  j) 
and  all  such  trajectories  in  total  give  rise  to  a  finite  number  of  ranges  {p^}. 

Let  c  =  [C,  p(j]  be  a  fundamental  cycle  of  K.  The  set 

Sc  {( a,p )  :  p  E  C,a  E  Bk  (Tp^p)  flAT)}  .  (5.12) 

is  called  the  c-skeleton  of  the  domain  K. 

Restructuring  points.  Given  p  E  C,  put 

SU  :=  dK  (Tp^(p)  n  K) ,  S ji+1)  :=  fl  T„i(pH??i+1(p)  (5.13) 

where  i  =  1,2,...  and  pl(-)  is  the  i-th  iteration  p(-)  o  •  •  •  o  rj(-)  of  the  map  jj(-). 
In  terms  of  the  chain 

po  :  —  p  *  t  pi  :=  <pa(p0)  <->■•••  H-  p„  :=  <Pa(Pn-i)*  (5-14) 

of  instantaneous  transitions  generated  by  a  and  p,  (5.13)  shapes  into 

Sp^  ja  €  :  the  chain  (5.14)  begins  with 

the  sequencep  i-»-  p(p)  e>---HM)’(p)}. 

By  A.4) ,  S(pl)  =  0  Vi  >  k  where  k  is  the  number  of  elements  in  C. 

Lemma  17.  Any  nonempty  set  Sp^ip  E  C,i  =  1,2,...)  is  a  union  of  a  finite 
number  of  points  and  pair-wise  disjoint  topological  segments  (i.e.,  sets  homeo- 
morphic §  to  an  interval  [to,  ti],  to  <  h)- 

As  a  result,  the  relative  boundary  dp  of  Sp+1^  in  SP  J  is  a  finite  set.  Any  point 
( a,p )  E  Sc  such  that  a  E  dlp  for  some  i  =  1, 2, ...  is  called  the  restructuring  point 
on  the  c-skeleton. 

Regular  and  singular  points.  For  (o,p)  6  Sc,  (5.12)  =>•  a  E  Bk  (?)>-> tj(p)  Fl  K) 
and,  by  A.7),  a  belongs  to  one  s  or  two  s',s"  segments  from  &p^ri(p).  In  the 
first  case,  the  line  tangent  to  s  at  a  is  said  to  be  tangent  to  Bk[Tp^,^p)  D  K ) 
at  a.  In  the  second  case,  the  angle  formed  by  the  rays  tangent  to  s'  and  s"  is 
said  to  be  tangent  to  BK{Tp^r){p)  n  K)  at  a.  Consider  the  last  term  pn  in  the 
chain  (5.14).  The  pair  ( a,p )  E  Sc  is  said  to  be  regular  if  the  line  spanned  by  a 
and  a  +  f(a,p„ )  intersects  the  both  open  domains  into  which  the  line  or  angle 
tangent  to  dK(Tp^ri(p)  CAT)  at  a  splits  the  plane  R2.  A  pair  (o,p)  €  Sc,  which 
is  not  regular,  is  said  to  be  singular. 

Backstepping  mapping  in  the  c-skeleton.  Let  zr(-\a)  (where  r  E  Q  and  a  E 
R2)  stand  for  the  solution  z(-)  of  the  boundary  problem  z  =  f(z,r),z( 0)  =  a 
extended  on  the  maximal  interval.  Given  to  =  ( b,r )  e  Sc,  put 

Eu  :=  {9  <  0  :  zr(t\b)  E  Hr  Vt  E  [6, 0)}  ,  (5.15) 

*  The  chain  is  interrupted  at  the  largest  index  n  such  that  p *  #  pj  Vi  A  j,  h  j  <  n. 

§  See  [22,  p.188]  for  the  definition 
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W(ut)  :=  {(a,p)  €  Sc  :  ( a,p )  =  u  or  pn  =  r  in  (5.14)  and  ^  ^ 

a  =  zr(8\b)  for  some  6  £  Eu}. 

The  multivalued  function  ( b ,  r)  £  Sc  W  ( b ,  r )  C  Sc  is  called  the  backstepping 

mapping  in  the  c-skeleton.  The  following  lemma  illustrates  this  notion. 

Lemmal8.  Let  ( a,p )  e  Sc,(b,r )  £  Sc,(a,p)  ^  ( b,r ).  Then  (a,p)  £  W(b,r) 
if  and  only  if  there  exists  a  trajectory  [x(j, q(j],t  >  0  lying  in  K  x  C  and 
two  consequent  discontinuity  points  0  <  t\  <  t2  of  the  function  q{  j  such  that 
(a,p)  =  [x(ti),5(ti)]  and  ( b,r )  =  [x(t2),q(h)]. 

Foru>  £  Sc,  denote  W1  (co)  :=  W(u),Wl+1(u)  :=  {lj1  :  u'  £  W(u*)  for  some  w,  £ 

Wl(u)},i  =1,2, _ The  set  0~(u)  :=  jj^i  W*( w)  is  called  the  backward  c-orbit 

of  the  point  u. 

Our  last  assumption  is  as  follows. 

A. 8)  For  each  fundamental  cycle  c  of  the  invariant  domain  K,  the  set  of  the 
singular  points  on  the  C'Skeleton  is  finite  and  the  backward  c-orbit  of  any 
such  point  is  also  finite. 

The  following  theorem  is  the  main  result  of  the  section. 

Theorem  19.  Let  x(t)  £  R2  in  (2.1),  (2.2)  and  Assumptions  A.l)-A.8)  hold. 
Then  the  following  two  statements  are  equivalent. 

(i)  The  system  (2.1), (2. 2)  exhibits  a  simple  periodic  dynamics  on  K. 

(ii)  For  each  fundamental  cycle  c  of  the  invariant  domain  K,  the  backward  c- 
orbit  of  any  restructuring  point  on  the  c-skeleton  is  finite. 

Assumption  A. 8)  is  evidently  fulfilled  if  there  are  no  singular  points  on  the 
c-skeleton  for  any  c.  This  is  the  case  if,  for  example,  each  set  6p_,r  either 
consists  of  pair-wise  disjoint  straight  segments  or  is  empty  and  any  vector-field 
f(’>p)iP  €  <9  is  constant  and  transversal  to  all  of  the  above  segments. 

In  the  remainder  of  the  section,  (i)  of  Theorem  19  and  Assumptions  A.l)— 
A. 8)  are  assumed  to  be  true. 

Remark  1.  Let,  for  each  fundamental  cycle  c  =  [C,  T](j}  of  K,  any  segment 
s  £  6p^,(p)  lie  on  an  analytical  curve  and  the  vector  fields  f(-,p),p  £  C  be 
analytical.  Then,  in  i)  of  Definition  16,  the  set  ip  can  be  chosen  finite. 

Remark  2.  In  i)  of  Definition  16,  the  time  T d  can  be  chosen  independent 
of  T> . 

Let  D  be  a  trajectory  lying  in  K .  Recall  that  the  full  record  po  H-  pi  i->  ...  of 
all  the  transitions  experienced  by  the  discrete  state  is  called  the  discrete  path  of 
D  .  Under  the  circumstances,  his  path  is  evidently  composed  of  successive  gearing 
chains  . . . 

V2 

po  pkl  h->  . . .  h*  Pk2  . . . 

- - V - '  ' - - - ' 

■Pi  -Pa 


(5.17) 
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(where  1  <  fci  <  <  . . .)  each  encompassing  all  the  transitions  that  occur  at 

a  certain  time  instant.  It  easily  follows  from  Theorem  10  that  the  path  {pj}  is 
eventually  periodic.  In  view  of  A. 3),  Theorem  19  ensures  via  justifying  ii)  of 
Definition  16  that  the  distribution  (5.17)  also  becomes  eventually  (namely,  for 
t  >  T»)  periodic,  i.e.,  Vj+k  =  Vj  Vj  «  oo. 
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Abstract.  The  optimal  control  problem  for  hybrid  (discrete-continuouis) 
system  is  considered  in  the  case  when  the  continuous  behavior  can  be 
controled  and  discontinuities  arise  when  the  system  achives  the  bound¬ 
ary  of  some  set.  We  suppose  that  discontinuities  can  be  considered  as 
a  result  of  some  impulsive  inputs,  which  can  be  represented  in  feedback 
form  as  the  intermediated  conditions.  Meanwhile,  variuos  types  of  irreg- 
ulariries  such  as:  nonextandability  of  solution  or  sliding  mode  can  arise. 
However,  if  the  jumps  of  solution  are  described  by  some  shift  operator, 
as  for  hybrid  system  satisfying  the  robustness  condition,  one  can  reduce 
this  problem  to  the  standard  problem  of  nonsmooth  optimization  and 
the  representation  of  solution  by  differential  equation  with  a  measure 
and  the  existence  theorem  for  optimal  solution  can  be  obtained. 


1  Introduction 

In  recent  years  there  has  been  a  significant  increase  in  modelling  and  con¬ 
trol  of  hybrid  systems,  which  are  frequently  can  be  treated  as  systems 
charaterized  by  continuos  and  discrete  behaviour.  The  motion  of  such 
systems  can  be  divided  into  regular  and  singular  parts,  i.e.  continous 
and  jumping,  respectively.  These  systems  are  very  typical  for  various 
mechanical  applications,  where  the  discrete-continuos  modes  of  motions 
could  arise  because  of  shocks  and  friction.  There  has  been  a  significant 
progress  in  this  area,  including  the  development  of  the  rigorous  mathe¬ 
matical  framework  for  the  description  of  these  systems  and  preliminary 
formulations  of  the  procedures  for  synthesis  of  contorl  laws  for  them. 
However,  the  common  mathematical  feature  of  these  class  of  systems  is 
the  presence  of  singularites,  which  manifest  themselfs  in:  discontinuities 
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and  nonsmoothness  in  system  motion,  jumps  in  system  dimension,  the 
lack  of  the  continuous  dependence  on  initial  conditions  and  nonuniqiue- 
ness  of  solution  of  equations  of  motion  (see,  for  example,  [1],  [3]). 
Traditionally  the  control  of  such  systems  has  been  exerted  either  during 
the  nonsingular  phase  of  the  system  motion  or  during  the  singularity 
phase,  which  was  induced  by  the  control  action  itself  and  did  not  exist 
in  the  system  naturally  [5],  [6],  [10],  [13].  Modem  theory  of  impulsive 
control  provides  the  appropriate  framework  for  the  synthesis  of  the  im¬ 
pulsive  control  actions  in  the  open  loop  form.  The  proper  tool  for  the 
description  and  optimization  of  such  systems  is  the  discontinuous  time 
transformation  method,  developed  for  nonlinear  systems  in  [5],  [6].  How¬ 
ever,  this  approach  cannot  be  directly  applied  to  general  hybrid  systems, 
where  impulsive  actions  can  arise  as  feedback  ones,  when  the  system 
under  control  achieves  the  appropriate  state  or  the  set  of  states. 

This  paper  focuses  on  the  novel  idea  of  considering  a  jump  as  a  result  of 
some  "ficticious  motion”  along  the  paths  of  some  auxiliary  system,  which 
provides  a  model  of  "fast  motion”  and  describes  the  jump,  arising  in  the 
motion  of  hybrid  system,  in  terms  of  some  shift  operator.  This  approach 
bases  on  the  representation  of  robust  hybrid  system,  which  was  obtained 
in  [8],  where  hybrid  systems  are  treated  as  systems  with  impulsive  inputs. 
However,  if  we  consider  these  systems  as  ones  with  impulsive  actions  in 
feedback  form,  it  becomes  necessary  to  find  a  more  general  mathematical 
framework,  than  for  standard  problems  with  impuse  contorls. 

Thus,  the  goals  of  this  paper  are: 

-  to  develop  the  mathematical  framework  for  the  description  of  con¬ 
trollable  hybrid  systems  with  impulsive  actions  in  feedback  form; 

-  to  derive  the  appropriate  equations  for  the  description  of  motion; 

-  on  the  basis  of  this  framework  to  develop  procedures  for  the  design 
of  control  in  these  systems  to  satisfy  specific  control  objectives. 


2  Problem  statement 

Consider  the  evolution  of  discrete-continuous  dynamical  system,  whose 
behaviour  be  described  on  some  interval  [0,  T\  by  variable  X(t)  6  Rn, 
which  satisfies  the  differential  equation 

X(t)  =  F(X(t),u(t)),  (1) 

with  given  initial  condition  X(0)  =  xo  €  Rn  and  following  intermediate 
conditions 
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X{Ti)  =  X{Ti-)  +  nx(.n-)),  (2) 

which  are  given  for  some  sequence  of  instants  {r,-,  i  =  0, N},  N  <  oo, 
satisfying  the  reccurence  conditions 

To  =  0 

r  mf{r,-i  <t<T:  G(X(t- )  =  0},  (3) 

^  oo,  if  the  appropriate  set  is  empty. 

In  equation  (2)  X(ri-)  —  lim  X (t),  and  r,  is  the  sequence  of  instants 
when  the  system  states  change  discontinuously. 

So,  the  state  of  system  changes  continuously  in  halfintervals  [0,  n),  ... 
[r,_i,  r;),  ...  [tv ,  T] ,  and  undergoes  a  sudden  change  at  every  instant  n, 
whose  value,  due  to  equation  (2),  depends  on  the  state  preceeding  the 
jump. 

We  suppose  that  control  variable  in  (l) 

ueu  cRm,  (4) 

where  U  is  some  compact  set,  and  funciton  F(X,  u)  be  continuous  with 
respect  to  all  variables  and  continuously  differentiable  with  respect  to  X. 
To  be  sure  that  solution  of  (1)  is  continuable  to  the  right  we  need  some 
additional  assumptions  concerning  the  functions  F(X)  and  G(X).  So  we 
suppose  that  X(r,)  =  X(r,—)  +  F(X(Ti—))  is  the  result  of  the  action  of 
shift  operator  along  the  paths  of  differential  equation 

y(s)  =  B(y(s)),  s  €  [0,  oo)  (5) 

with  initial  condition  y(0)  =  X(n— ). 

Therefore,  if  4>(x,  s )  is  the  general  solution  of  (5)  with  initial  condition 
y(0)  =  x,  then 

X(rt)  =  X(r,-)  +  nX(ri-))  =  <KX(r,-),  s*(Xfr-)),  (6) 

where 

sm(X(n)  =  inf{s  >  0  :  G($(X(r,-),  s)  =  0},  (7) 

and  on  the  interval  (0,  s*(isf’(ri))  we  have  the  relation  G($(X(n— ),  s )  > 
0. 

We  assume  also  that  B(y)  be  continuously  differentiable  with  respect  to 

y ■ 
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Remark  1.  All  these  conditions  are  not  sufficient  to  prove  the  continua- 
bility  of  solution  for  arbitrary  initial  condition  xq,  and  some  measurable 
control  u(-),  however,  if  there  exists  some  bounded  solution  X(t)  with 
finite  number  of  jumps  one  can  establish  its  uniqueness  and  continuous 
dependence  from  initial  conditions. 

The  optimization  problem  to  be  considered  is  the  minimization  of  per¬ 
formance  criterion 

J[X(.),u(-)]  =  <MX(T))  (8) 

with  some  continuously  differentiable  function  <j>. 

Remark  2.  In  spite  of  all  our  assumptions  concerning  regularity  of  func¬ 
tions  involved  into  the  problem  statement,  this  problem  belongs  to  a  class 
of  extremely  irregular  ones  due  to  the  possibility  of  nonextandability  of 
solution  (if  the  set  of  points  s  in  (7)  is  empty  or  infimum  equal  to  in¬ 
finity).  The  first  case  leads  to  a  so-called  "sliding  mode”  along  the  set 
G(x )  =  0,  like  in  systems  with  discontinues  right-hand-side  [11],  the  sec¬ 
ond  one  corresponds  the  case  of  nonextandability  of  solution  bejong  the 
some  point  of  jump.  However,  in  the  case  when  the  jump  behavior  is  de¬ 
scribed  by  some  shift  type  operator  one  possible  to  reduce  this  problem 
to  the  more  regular  one  by  using  the  discontinuous  time  transformation 
as  in  impulsive  control  problems  [5]. 

Remark  3.  The  deesription  of  jump  by  some  shift  operator  looks  like 
rather  artificial,  however,  all  discrete-continuous  systems  that  are  stable 
(or  robust)  with  respect  to  an  approximation  procedure  of  impulsive 
input  admit  such  jump  representation  [6],  [10],  [13]. 

Before  further  consideration  it  would  be  useful  to  present  a  simple  ex¬ 
ample  of  hybrid  system  which  is  rather  typical  one  and  simultaneously 
has  all  specifical  features  of  the  systems  described  above. 

Example.  Dynamic  of  point  with  elasic  shocks. [9]  Consider  a  mo¬ 
tion  of  the  unit  mass  point  with  generalized  coordinates  {r  1,2:2}  (state 
and  velocity,  respectively),  which  moves  along  the  straight  line  till  the 
elastic  obstacle  at  the  point  x\  =  0.  Suppose  that  initial  state  xi(0)  <  0, 
and  the  force  depends  on  the  state,  velocity  and  some  control  u,  that  is 
in  the  area  zq  <  0,  the  motion  equations  are 


Xl(t)  =  x  2(t), 

x2(t)  —  F(xi(t),  x2(t),  u(t)). 


(9) 
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The  elastic  shock  at  instant  {-  :  xi  (r)  =  0}  causes  the  sudden  change  of 
veloscity  sign,  i.e. 

*2  (r)  =  x2  (t-), 

and  the  instant  evolution  can  be  desribed  by  the  appropriate  shift  oper¬ 
ator  along  the  paths  of  the  system  of  differential  equations 


Vi(s)  =  y2(s) 
y2(s)  =  — yi  (s) 


(10) 


with  initial  conditions 

yi(0)  =  xi(r-),  y2(0)  =  x2(r-). 


Indeed,  the  solution  of  above  system  is 

yi(s)  =  x2(r-)sin(s),  y2(s)  =  x2(r~)  cos(s), 

hence,  we  have  yi  (s)  >  0  on  the  interval  (0, 7r)  £ind 

yi(7t)  =  0,  &(-)  =  -y2(0)  =  -x2(r-). 

Therefore,  the  shift  operator  along  the  paths  of  system  (10)  describes 
the  jump  behaviour  in  proper  way. 


3  Description  of  solution  via  discontinuous  time 
transformation 

Suppose  for  some  control  u(-)  we  have  any  solution  of  (l)  defined  on 
the  interval  [0,  T],  and  suppose  also,  that  this  solution,  namely  X(t),  has 
a  finite  number  of  jumps  at  points  {tj,:  =  1,  ...,Ar}.  It  means  that  for 
every  i  =  1,  ...,N  be  defined  the  set  of  s*  =  sm (X (n—))  <  oo,  such  that 

X(ri)  =  ‘P(X(r,-),5*(X(ri-)). 

Consider  the  time  interval  [0,Ti],  where 

-V 

t1  =  t+J2*:,  (ii) 


and  define  on  [0,  Ti]  function 
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f i-  se[n  +  E>r,r,-  +  x>*) 

, .  I  fc<»  fc<« 

<*(*)  =  < 

I  0,  otherwise. 

Define  on  the  interval  [0,  Ti]  the  auxiliary  system 

y(s)  =  a(s)F(y(s),  n(i?(s)))  +  (1  -  a(s))B(y(s)), 

>?(s)  =  »(s) 
with  initial  conditions 


(12) 


(13) 


y(Q)  =  xq,  rj(0)  =  0. 

Then  the  following  correspondence  exists  between  auxiliary  and  original 
system  (l). 


Theorem  1.  For  any  solution  X(t)  of  (1)  define  function  rj(s)  by  rela¬ 
tion  (12)  and  the  inverse  one  by  relation 

r{t )  =  inf{s  :  r?(s)  >  t}, 

with  F(T)  =  T\  by  definition. 

#{?/(•)>  *?(-)}  &e  the  solution  of  (13),  then 

X(t)  =  y(r(t)) 

is  the  solution  of  system  (1). 


The  proof  follows  from  result,  which  have  beed  obtained  for  discontinuous 
time  transformation  in  robust  discrete-continuous  systems  [6]. 

Notice  that  by  definition  a(s)  =  1  if  G(y(s))  <  0  and  a(s)  =  0  if 
G(y(s))  >  0.  This  observation  will  be  a  basis  for  further  transforma¬ 
tion  of  original  optimization  problem.  Moreover,  we  could  consider  the 
system  (13)  as  a  system,  which  in  some  sense  is  equivalent  to  (l),  with 
new  variable  rj(s)  for  the  rescaled  time  and  with  the  variable  a  as  an 
additional  control,  which  satisfies  the  constraint 

(l  if  G(y(s))  <  0, 

«w  =  < 

1.0  if  G(y(s))  >  0. 


(14) 
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However,  (14)  does  not  define  a  on  the  boundary  of  constraint,  namely 
on  the  set  {G(y(s)  =  0},  but  here  we  can  admit  the  relaxation  of  the 
problem,  putting  a(s)  £  [0, 1].  This  relaxation  corresponds  to  a  standard 
method  of  convexification  of  right-hand-side  to  guarantee  the  existence 
of  the  optimization  problem  solution  [4]. 

Moreover,  one  can  present  the  constraint  (14)  in  the  integral  form,  i.e. 

T ! 

f  a(s)G+(y(s))ds  =  0, 
o 

(15) 

f(l  -  a(s))G~(y(s))ds  =  0, 


where 


G+(y)  =  min{G(y),0},  G  (y)  =  min{-G(y),  0}. 

Using  this  relaxation  one  can  obtain  the  following  result,  which  general¬ 
izes  Theorem  1. 


Theorem  2.  Let  {y(-),»7(-)}  be  any  solution  of  system  (13),  with  some 
Lebesgue  measurable  controls  {a(-),  U\ (•)},  satisfying  constraints 

a(s)€[0,l],  ui(s)  €  U  a.  e.  on  [0,Ti],  (16) 

and  such  that  y(-)  satisfies  (15)  and  r)(T\ )  =  T.  Define  monotonically 
increaisng  T'(t)  by  relation 

r(t)  =  inf{s  :  rj(s)  >  t},  T(T)  =  Tu  (17) 

then  for  X(t)  =  y(T(t))  there  exist: 

1.  Lebesgue  measurable  control  u(-)  :  u(t)  £  U  almost  everywhere  on 

[0,11, 

2.  nonnegative  regular  measure  p(dt),  localized  on  the  set{t :  G(X(t))  = 
0}  and  having  the  Lebesgue  decomposition 

K(°,t])  =  ^((0,ri)+J>({r}), 

r<t 

where  pc(dt )  is  continuous  component  of  measure,  and  ji({r})  is  a 
discrete  one,  localized  at  point  t; 

such  that  X(t)  is  the  unique  right  continuous  solution  of  equation  with  a 


measure 
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dX  (t)  =  F(X  (t),  u(t))dt  +  B(X(t))dnc(dt)  +  Y,  *(X(r-),  #i({t})), 


satisfying  the  constraint 


r<  t 

(18) 


G(X(t))<0,  /or  any  t€[0,T].  (19) 

Proof.  Define  P(-)  by  relation  (17).  Then  P  be  monotocically  increasing 
and  right  continuous  [6].  Therefore,  X (t)  =  y(P(t))  is  right  continuous 
and  satifies  the  equation 


r(i) 

X(t)  =  x0+  f  a(s)F(y(s),ui(s))ds+ 


m 

f  (1  -a(s))B(y(s))ds. 


o 


(20) 


Define  the  distribution  function  of  fj(dt)  by  relation 


ot(s))ds, 


then 


m 

yc((0,  t])=  J  I{s:n(s)eDr}(l-a(S))ds, 

o 

Ai({r})  =  P(r)  -  r(r-),  if  re  Dr, 


where  Dr  is  the  set  of  jump  points  of  P  and  symbol  I  {A}  stands  for  the 
indicator  function  of  the  set  A. 

Assuming  u(t)  =  ui(P(i)),  we  obtain  it  to  be  Lebesgue  measurable  (see 
[7]  Thm.  4.1),  and  applying  the  same  arguments  of  time  substitution  as 
in  [6]  we  yeild  that  X(t)  satisfies  the  equation 


X(t)  =  x0  +  J  F(X(s),  u(s))ds+ 
o 


f  B(X(s))d/jc(s)  +  f  D(y(s))ds, 

0  reDrn  {r<t}r{r-) 


(21) 
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where 

r(r) 

f  B(y(s))ds  =  ¥(y(r(r-)),  T(r)  -  T(r-))  =  1 ?{X{r-),^{r})) 

n >-) 

due  to  relations  (5)  and  (6). 

Since  (21)  is  the  integral  representation  of  (18),  we  have  proved  that  X(t ) 
satisfies  the  above  equation.  Uniqueness  of  solution  follows  in  standard 
way  from  differentiability  of  F  and  B. 

Now  by  applying  the  time  substitution  to  relations  (15),  we  obtain 

Ti  T 

f  a(s)G+(y(s))ds  =  /  G+(X(s))ds  =  0, 

0  0 

/(l  -  *(s))G-(y(s))ds  =  f  G~(X (s))dfj(s)  =  0, 

0  0 

and,  therefore, 

G(X(f))  <  0  a.e.  on  [0,  Tj, 

but  due  to  the  continuity  of  G  and  right  continuity  of  X ,  this  inequality 
will  be  valid  for  any  t  €  [0,  T\. 

As  follows  from  second  relation  nonnegative  measure  p(dt)  be  localized 
on  the  set  { t  :  G~ (X{t))  =  0},  however,  due  to  the  previous  conclusion 
this  set  coincides  with  the  set  {t  :  G(X(t))  =  0}. 

Remark  4.  This  theorem  gives  a  representation  of  generalized  solution  of 
hybrid  system  (l),  which  corresponds  to  cases  when  the  number  of  jumps 
could  be  equal  to  infinity  and/or  the  sliding  mode  along  the  boundary 
G(x )  =  0  could  arise.  Both  cases  are  determined  by  the  properties  of 
measure  y.(dt),  i.e.,  the  case  /ic([0,  T\)  >  0  corresponds  to  the  case  of  the 
sliding  mode  existence,  and  the  case  of  infifhite  number  of  the  atomic 
points  of  n(dt)  corresponds  to  the  case  of  the  infifhite  number  of  jumps. 

Remark  5.  The  problem  of  correspondence  between  ordinary  and  gen¬ 
eralized  (relaxed)  solution  in  presence  either  the  sliding  modes  or  the 
infinite  number  of  jumps  is  non  trivial.  Generally  it  is  not  possible  to 
approximate  the  generalized  solution  by  a  sequence  of  ordinary  ones 
without  constraints  violation.  However,  it  is  possible  to  guarantee  that 
this  violation  will  be  informly  small  and  goes  to  zero,  while  the  approx¬ 
imation  sequence  converges  to  generalized  solution  uniformly  [7], 
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4  Existence  of  the  optimal  solution 

So  we  come  to  the  concept  of  generalized  solution  of  hybrid  system,  which 
can  be  defined  as  a  right  continuos  function  X(-),  such  that  G(X(t ))  <  0, 
and  satisfying  the  equation  (18)  with  some  admissible  control  u  and 
nonnegative  measure  /a(dt),  localized  on  the  set  {G(X(t)  =  0}. 

As  follows  from  previous  results  it  make  sense  to  search  the  solution  of 
the  original  optimization  problem  in  the  class  of  generalized  solutions. 
From  Theorem  2  one  can  obtain  the  equivalence  of  the  original  opti¬ 
mization  problem,  which  contains  measures,  to  some  auxiliary  problem 
of  nonsmooth  optimization. 

Auxiliary  Problem.  Consider  the  optimal  control  problem  for  system  (13) 
with  controls  {«,  ui },  satisfying  (16),  and  such  that  the  integral  con¬ 
straints  (15)  are  valid.  We  will  consider  this  problem  on  nonfixed  time 
interval  [0, T\],  such  that  T\  <  oc  :  rj(Ti)  =  T  with  performance  criterion 

=  do(y(Ti))  -*•  min, 

where  do  is  the  same  as  in  (8). 


Theorem  3.  Suppose  that  the  set  F(X,U )  be  convex  for  any  X  £  Rn, 
the  set  of  admissible  controls  of  auxiliary  problem  is  non  empty,  and  the 
set  of  admissible  7\,  such  that  =  T  is  uniformly  bounded.  Then 

the  auxiliary  problem  has  the  optimal  solution  and  the  optimal  gener¬ 
alized  solution  of  the  original  problem  satisfies  the  equation  (18)  with 
appropriate  control  u(-)  and  measure  fi(dt). 


Proof.  For  any  control  u(-)  and  measure  p(dt),  which  give  some  gen¬ 
eralized  solution,  one  cam  define  the  appropriate  controls  {o;(s),ui(s)}, 
which  are  admissible  in  auxiliary  problem.  Indeed,  if 

r(t)  =  t  +  /i((o,t]), 

and 

r?(s)  =inf{t :  F(t)  >  s}, 

then  the  appropriate  admissible  controls  {a(s),  u\  (s)},  can  be  defined  by 
relations 

a(s)  =  i?(s),  ui  (s)  =  u(r/(s)), 
and  , 

J[x(-),u(-)]  =  J  iy(-), 
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since  X(T)  =  y(Ti).  Therefore, 

inf  J  >  inf  J  . 

*(•)  “{«(■).•»!(■)} 

Due  to  the  convexity  assumptions  and  boundedness  of  T\  the  set  of 
admissible  paths  of  auxiliary  problems  be  compact  (see  [4]),  therefore 
the  optimal  control  exists  and  the  infimum  in  the  right-hand  side  of 
above  relation  can  be  achived  on  some  controls  {o°,  u°}. 

To  prove  the  existence  of  optimal  solution  for  original  problem  it  is  suffi¬ 
cient  to  apply  Theorem  2.  Indeed,  if  {y°,  a0,  be  the  optimal  solution 
of  the  auxiliary  problem,  then  one  can  define  {X°,  u°, /i0},  such  that 
X°(t )  =  y°(r(t ))  and  by  virtue  of  conditions  (15)  we  have 

f  G+(X°(t))dt  =  f  a0 (s)G+(y°(s))ds  =  0, 
o  o 

/ G-(X“(t))V(t)  =  /(l  -  a°(,))G-(y\s))d,  =  0, 

0  0 

therefore,  G(X°(t))  <  0  almost  everywhere  on  [0,  T\  and  measure  (dt) 
be  localized  on  the  set  { t  :  G(X°(t))  =  0}.  However,  X°(-)  be  a  right 
continuous  function,  thus  the  constraint  G(X°(t))  <  0  be  valid  for  all 

te  [0,7]. 

Since  X°(T)  =  y °(T1), 

J[X°(  ),u°(.)]  =  J  {y°(-)> a°(’)> u° (')}  =  inf /, 

and  the  triple  {X° ,  u° ,  fjt°  }  be  the  optimal  solution  of  the  original  problem 
in  the  class  of  generalized  solutions. 

Remark  6.  The  auxiliary  problem  belongs  to  a  class  of  nonsmooth  op¬ 
timization  problems  due  to  the  nondifferentiability  of  functions  G+  and 
G~.  However,  by  applying  the  methods  recently  obtained  for  nonsmooth 
problems  (see,  for  example  [2]),  it  becomes  possible  to  derive  necessary 
optimality  conditions  in  the  maximum  principle  form  and  design  the 
computational  algorithms. 
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Abstract.  Given  a  heuristic  estimate  of  the  relative  safety  of  a  hybrid 
dynamical  system  trajectory,  we  transform  the  initial  safety  problem  for 
dynamical  systems  into  a  global  optimization  problem.  We  introduce 
MLLO-IQ  and  MLLO-RIQ,  two  new  information-based  optimization  algo¬ 
rithms.  After  demonstrating  their  strengths  and  weaknesses,  we  describe 
the  class  of  problems  for  which  different  optimization  methods  are  best- 
suited. 

The  transformation  of  an  initial  safety  problem  for  dynamical  systems 
into  a  global  optimization  problem  is  accomplished  through  construction 
of  a  heuristic  function  which  simulates  a  system  trajectory  and  returns 
a  heuristic  evaluation  of  the  relative  safety  of  that  trajectory.  Since  each 
heuristic  function  evaluation  may  be  computationally  expensive,  it  be¬ 
comes  desirable  to  invest  more  computational  effort  in  intelligent  use  of 
function  evaluation  information  to  reduce  the  average  number  of  eval¬ 
uations  needed.  To  this  end,  we’ve  developed  MLLO-IQ  and  MLLO-RIQ, 
information-based  methods  which  approximate  optimal  optimization  de¬ 
cision  procedures. 
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1  Introduction 

Given  a  simulated  hybrid  dynamical  system  5,  a  set  of  possible  initial  states  I, 
and  a  set  of  “unsafe”  states  U,  we  wish  to  verify  nonexistence  of  an  5-trajectory 
from  I  to  U  within  fmax  time  units.  We  call  this  the  initial  safety  problem.  Sup¬ 
pose  we  are  given  an  approximate  measure  of  the  relative  safety  of  a  trajectory. 
More  specifically,  let  /  be  a  function  taking  an  initial  state  i  as  input,  and  eval¬ 
uating  the  5  trajectory  from  i  such  that  f(i)  =  0  if  and  only  if  the  5-trajectory 
from  i  enters  U  within  tmax  time  units,  and  f(i)  >  0  otherwise.  Then  verifica¬ 
tion  of  the  initial  safety  problem  can  be  transformed  into  the  global  optimization 
(GO)  problem: 

min (/(*))  >  0 

tei 

GO  methods  may  therefore  terminate  when  i  is  found  such  that  f(i)  =  0. 
Given  that  /  does  not  generally  have  an  analytic  form,  we  do  not  assume  the 
availability  of  derivatives.  Since  each  evaluation  of  /  may  require  a  computation¬ 
ally  expensive  simulation,  we  are  particularly  interested  in  GO  methods  which 
perform  relatively  few  evaluations  of  /.  In  this  context,  we  introduce  two  new 
information-based  optimization  methods  which  use  function  evaluation  informa¬ 
tion  approximately  optimally  in  choosing  the  next  best  point  for  evaluation.  We 
demonstrate  that  these  algorithms  generally  match  or  exceed  the  performance 
of  the  best  methods  from  our  previous  comparative  study  [1],  describe  the  class 
of  functions  for  which  they  are  best  suited,  and  finally  turn  our  attention  to 
the  trade-off  between  brute-force  function  evaluation  and  intelligent,  selective 
function  evaluation. 

2  Motivation 

Our  research  was  largely  motivated  by  the  following  safety  verification  task: 
Given  bounds  on  the  system  parameters  of  a  stepper  motor  (e.g.  viscous  fric¬ 
tion,  inertial  load) ,  bounds  on  initial  conditions  (e.g.  angular  displacement  and 
velocity),  and  an  open-loop  motor  acceleration  control,  verify  that  no  scenario 
exists  in  which  the  motor  stalls.  We  model  the  motor’s  continuous  dynamics 
using  ODEs  given  in  [2]: 

0  =  u> 

(—izNb  sin (N9)  +  4,^4  cos (NQ)  -  D  sin(4iV0)  -  Fvta  -  Fcsign(w)  -  Fg) 
W=  (Jl  +  Jra) 

i'a  =  ( Va  -  iaR  -I-  wNb  sin (N9))/L 
*b  =  (yb  -  ihR  -  uNh  cos (N0))/L 

where  9  and  ui  are  motor  shaft  angular  displacement  and  velocity,  ia  and  ib  are 
coil  A  and  B  current,  V&  and  14  are  coil  A  and  B  voltage,  R  and  L  are  coil 
resistance  and  inductance,  N  is  the  number  of  rotor  teeth,  7Vb  is  the  maximum 
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motor  torque  per  amp,  D  is  the  maximum  detent  torque,  Fv  is  the  viscous 
friction,  Fc  is  the  Coulomb  friction,  Fg  is  the  gravitational  torque  load,  and  J\ 
and  Jm  are  load  and  motor  shaft  inertia.  For  this  system  we  classify  a  stall  as 
deviation  of  jq  or  more  radians  from  the  current  desired  0  equilibrium. 

The  motor  is  stepped  by  reversing  polarity  of  the  coil  voltages  in  alternation 
(see  Figure  1).  Changes  to  coil  voltages  occur  on  such  a  small  time  scale  that  their 
continuous  simulation  is  judged  unnecessary  for  modeling  dynamics  relevant  to 
the  verification  task.  Voltage  changes  were  therefore  approximated  as  discrete 
events.  Our  acceleration  control  is  open-loop:  At  fixed  intervals  the  motor  is 
stepped  according  to  an  acceleration  table.  We  can  express  such  a  system  as  a 
nonlinear  hybrid  automaton  as  shown  in  Figure  2. 


Fig.  1.  Simple  Stepper  Motor  Stepping 


First,  we  note  that  there  is  no  apparent  “geometrically  linear  hybrid  system”1 
approximation  with  which  we  could  apply  the  tools  of  computational  geometry, 
but  simulation  is  feasible.  Next,  we  note  that  our  verification  is  concerned  with 

1  i.e.  restricted  to  constant  first  derivatives;  “geometrically”  as  opposed  to  “alge¬ 
braically” 
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a  fixed  initial  time  interval  (i.e.  during  acceleration)  and  is  therefore  an  initial 
safety  problem.  Finally,  we  note  that  we  can  compute  minimum  angular  dis¬ 
placement  from  a  stall  state  over  all  simulation  states  as  a  simple  heuristic  to 
numerically  rate  the  relative  safety  of  safe  trajectories.  We  can  now  ask,  “For 
all  possible  system  parameters  and  initial  states,  are  all  simulation  trajectories 
rated  safe?”  Put  another  way,  “Is  the  minimum  heuristic  evaluation  of  all  possi¬ 
ble  simulations  greater  than  zero?”  If  we  can  answer  this  optimization  question 
positively,  we  have  verified  safety  of  our  hybrid  system. 

One  could  argue  that  such  optimization  is  not  verification,  that  one  cannot 
exhaustively  simulate  all  possibilities  and  can  therefore  have  no  guarantees.  One 
can  only  use  such  optimization  for  refutation.  To  this,  we  offer  two  responses: 
First,  if  one  has  additional  knowledge  of  characteristics  of  one’s  heuristic  evalu¬ 
ation  function,  then  an  intelligent  optimization  approach  can  utilize  such  char¬ 
acteristics  to  guarantee  a  strictly  positive  minimum  (i.e.  safety)  with  enough 
testing.  For  example,  if  one  is  seeking  a  zero  minimum  of  a  heuristic  function 
which  has  Lipschitz  conditions,  and  there  is  no  possibility  for  a  zero  to  occur 
between  previously  evaluated  points  without  violating  such  conditions,  one  can 
terminate  the  optimization  having  verified  safety.  Second,  if  one  has  no  such 
knowledge  about  the  heuristic  (as  is  the  case  for  our  stepper  motor  problem), 
the  absence  of  verification  techniques  well-suited  to  non-trivial  dynamics  leaves 
good  global  optimization  as  the  best  assurance.  As  has  been  demonstrated  with 
several  NP-hard  satisfiability  problems  [3],  refutation  through  a  well-chosen  op¬ 
timization  technique,  while  not  complete,  can  open  the  door  to  solving  larger 
classes  of  problems  reliably. 

This  said,  we  have  endeavored  to  develop  innovative  information-based  global 
optimization  methods  which,  under  certain  assumptions  and  constraints,  make 
approximately  optimal  use  of  information  gained  in  the  course  of  optimization. 
We  next  introduce  some  of  these  methods. 


3  Information-Based  Global  Optimization 

From  the  previous  comparative  study  [1],  we  noted  that  most  global  optimization 
methods  throw  away  most  of  the  information  gained  in  the  course  of  optimiza¬ 
tion.  For  our  purposes,  each  evaluation  of  /  requires  a  simulation  which  may  be 
computationally  expensive,  so  we  are  particularly  motivated  to  make  good  use 
of  such  information  in  order  to  reduce  the  function  evaluations  needed. 

One  approach  is  to  characterize  properties  of  the  set  of  functions  one  wishes  to 
optimize  and  to  use  such  information  to  construct  an  optimal  decision  procedure 
for  optimization.  In  the  course  of  optimization,  we  use  our  current  set  of  function 
evaluations  to  decide  on  the  next  best  point  to  evaluate  with  respect  to  our 
function  set.  Such  is  the  strategy  of  Bayesian  or  information  approaches  to 
global  optimization  [4-7],  which  have  optimal  average  case  behavior  over  the  set 
of  functions  for  which  each  is  designed.  Previous  information-based  methods  have 
largely  been  limited  to  global  optimization  in  one  dimension.  In  this  section,  we 
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introduce  two  new  information-based  optimization  methods  for  multidimensional 
problems. 

We  first  introduce  the  decision  procedure  used  by  these  methods,  thus  expli¬ 
cating  the  class  of  functions  for  which  the  decision  procedure  is  biased.  Next  we 
discuss  the  use  of  multi-level  local  optimization  for  speeding  convergence.  Finally, 
we  introduce  the  information-based  optimization  algorithms  themselves. 

3.1  Decision  Procedure 

At  each  iteration  i  of  our  algorithm,  we  wish  to  evaluate  our  heuristic  function 
/  at  the  location  Xi  for  which  f(xz)  =  0  is  most  likely  to  occur.  We  base  our 
notion  of  likelihood  on  characteristics  of  a  class  of  functions  to  which  /  belongs. 
Our  decision  procedure  is  then  based  on  some  decision  ranking  function  <7*  which 
computes  a  ranking  corresponding  to  the  relative  likelihood  of  a  zero  occurring 
at  an  unevaluated  point  X{  given  previous  /-evaluations  at  £1,2:2,  •  • . 

Qi{Xi)  —  >  X2y  •  •  *  j  Xi— 1 ,  Xi) 

So  for  each  iteration  i,  we  could  globally  optimize  <7*  to  choose  the  next  x  for 
which  /  is  evaluated.  However,  a  reliable  global  optimization  of  g  for  each  iter¬ 
ation  of  a  global  optimization  of  /  is  not  only  computationally  prohibitive,  but 
increasingly  very  difficult  as  well.  We  instead  desire  to  approximate  an  optimal 
decision  with  respect  to  our  assumptions  about  /,  and  we  do  so  by  uniformly,  ran¬ 
domly  sampling  g,  returning  the  optimum  of  the  samples.  We  call  this  DECISI0N1 
(see  Function  1) .  The  computational  complexity  of  this  decision  procedure  grows 
as  the  computational  complexity  of  evaluating  gi  (which  we  will  see  is  0(i2)). 


Function  1  Sampling  information-based  optimization  decision  function 

DECISI0N1 (L , lbound , ubound) :  . 

I  Input:  L,  a  list  of  [x,f(x)]  pairs 

•/.  lbound,  lower  bounding  corner  of  search  space 

•/.  ubound,  upper  bounding  corner  of  search  space 

mingx  :=  infinity 
for  i  :=  1  to  maxpts 

x  :=  uniformly  random  vector  in  space  bounded  by  lbound  and  ubound 
gx  :=  g(L,x) 
if  gx  <  mingx  then 
mingx  :=  gx 
minx  :=  x 
end 

end  for 
return  minx 


In  order  to  construct  g,  we  must  make  some  assumptions  over  /’ s  class  of 
functions  with  regard  to  where  we  would  most  expect  to  find  zeros.  One  assump- 
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tion  we  make  is  that  /  is  continuous2.  Another  assumption  concerns  flatness  and 
smoothness  preferences:  Given  a  set  of  points  and  their  f-evaluations,  a  zero  is 
more  likely  to  occur  where  it  demands  less  slope  between  itself  and  previous 
points. 

A  first  attempt  at  constructing  gi  might  be  to  create  a  function  which  returns 


,  s  t-1  f(Xj) 

9lix)  =  Tiffed 


That  is,  we  could  rank  the  likelihood  of  fix)  —  0  by  computing  the  maximum 
slope  between  the  hypothetical  zero  at  x  and  other  points  we’ve  already  evalu¬ 
ated.  The  lesser  the  5- value,  the  more  likely  a  zero  /-value.  The  global  minimum 
of  g  would  then  be  the  optimal  point  at  which  to  next  evaluate  /  given  previous 
/  evaluations. 

Consider  Figure  3(a).  Suppose  we’ve  evaluated  the  curve  at  points  a,  b,  and 
c  and  are  using  such  a  g  as  our  decision  ranking  function.  Intuitively,  we  would 
want  g  to  return  point  d  as  the  next  best  point  to  evaluate.  However,  the  slope 
between  a  and  d  will  make  d  a  less  preferable  decision  point  than  one  to  the  right 
of  d  for  which  a  zero  would  have  equal  slopes  to  a  and  c  for  this  simple  function. 
We  would  like  instead  for  point  b  to  “shadow”  point  d  from  point  a.  Our  simple 
attempt  to  do  so  is  shown  as  Function  2.  A  point  a  is  “shadowed”  by  point  b  for 
function  g  if  ||d-&||  <  ||d-a||  and  |g(a)  -ff(b)|/||a-&||  >  |p(a)  -p(d)|/||o-d||. 
That  is,  a  is  shadowed  by  b  if  b  is  closer  to  d  than  a,  and  the  slope  between  a 
and  b  on  g  is  greater  than  the  slope  between  a  and  d  on  g. 


3.2  Multi-Level  Local  Optimization 

One  might  then  construct  the  simple  information-based  global  optimization  pro¬ 
cedure  given  in  Program  1.  However,  we  note  that  one  ramification  of  random 
sampling  in  our  decision  procedure  is  that  we  do  not  achieve  efficient  conver¬ 
gence.  This  is  illustrated  in  Figure  3(b).  From  the  initial  random  point  in  the 
lower  left  corner,  the  procedure  then  checks  points  in  the  upper  right,  lower  right, 
upper  left,  and  just  left  of  the  global  minimum  at  the  center.  The  cluster  of  25 
points  that  follows  gradually  expands  towards  the  center  from  the  fifth  point.  In 
practice,  where  failures  do  not  occur  in  miniscule  regions,  this  behavior  is  not 
a  problem.  However,  we  also  note  that  our  decision  procedure  will  have  to  deal 
with  the  computational  burden  of  small  dense  clusters  of  points  which  are  not 
very  informative  globally.  We  may  wish  instead  to  apply  a  rapidly  convergent 
local  optimization  procedure  and  pay  attention  only  to  the  first  and  last  points 
of  such  an  optimization. 

In  our  previous  comparative  study  [1],  we  note  that  this  is  a  common  ap¬ 
proach  among  the  most  successful  methods  of  the  study.  A  global  search  phase 

2  This  is  not  a  trivial  assumption  for  our  general  application,  of  course.  Our  stepper 
motor  system  trajectories  are  continuous  in  the  initial  condition.  Such  continuity  is 
preserved  in  our  choice  of  /. 
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Fig.  3.  (a)  Shadowing  example,  (b)  Information-based  global  optimization  of  2-D 
paraboloid 


makes  use  of  a  local  optimization  subroutine  so  that  the  global  phase  is,  in  ef¬ 
fect,  searching  f'(x i)  =f  /(a;2)  where  [x2>  /min]  =  L0(/> aq)  where  LO  is  a  local 
optimization  procedure.  In  SALO  [8]  (simulated  annealing  atop  local  optimiza¬ 
tion),  for  each  point  evaluation  in  the  global  phase,  a  local  optimization  takes 
place  and  the  function  value  of  the  local  minimum  is  associated  with  the  original 
point.  The  effect  can  be  roughly  described  as  a  “flattening”  of  a  search  space 
into  many  plateaux  (with  plateaux  corresponding  to  local  minimum  values).  This 
search  paradigm  may  be  generalized  to  arbitrary  levels  where  each  level  performs 
some  optimizing  transformation  of  its  search  landscape  to  create  a  “simpler”  one 
for  the  level  above.  Obviously,  the  work  done  to  simplify  should  be  more  than 
compensated  by  the  reduced  search  effort  for  the  level  above.  The  top  level 
performs  a  global  optimization,  and  all  lower  levels  perform  local  optimization. 
We  call  this  paradigm  Multi-Level  Local  Optimization  (MLLO).  We  assert  that 
information-based  optimization  is  particularly  well-suited  to  optimizing  coarsely 
plateaued  search  landscapes.  Now  let  us  consider  two  information-based  appli¬ 
cations  of  MLLO. 

3.3  MLLO-IQ  and  MLLO-RIQ 

MLLO-IQ  (Program  2)  is  a  2-level  MLLO  with  a  simple  information-based  ap¬ 
proach  (Program  1)  atop  quasi-Newton  local  optimization.  With  each  iteration, 
MLLO-IQ  chooses  a  point  xi,  locally  optimizes  /  from  x\  to  X2,  and  associates 
/(x2)  with  both  X\  and  x2  in  order  to  “plateau”  the  space.  In  doing  so,  we 
limit  the  number  of  function  values  involved  in  decision  making.  Still,  we  may 
wish  to  further  limit  such  growth  in  computational  complexity.  By  limiting  our 
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Function  2  g,  the  decision  procedure  function  to  be  optimized 

g(L,x) : 

'/,  Input:  L,  a  list  of  [x,f(x>]  pairs 
X  x,  current  decision  point  being  evaluated 

for  i  :=  1  to  length (L) 
dx(i)  :=  I  |x-first(L(i))  I  I 
end  for 

sort  dx  in  ascending  order  and  permute  L  accordingly 

maxslope  : =  0 

for  i  :=  1  to  length(L) 

slope  :=  second (L (i) )/dx(i) 
if  slope  >  maxslope  then 
newmaxslope  : =  1 
for  j  :=  1  to  i-1 

otherslope  :=  |second(L(i))-second(L(j)) I 
/I lfirst(L(i))-first(L(j)) I  I 
7,  Note:  This  otherslope  information  may  be  cached, 
if  otherslope  >  slope  then 

newmaxslope  :=  0;  break  from  for  loop  (j) 
end  for 

if  newmaxslope  then  maxslope  :=  slope 
end  if 
end  for 

return  maxslope 


information-based  search  to  a  hypersphere  containing  a  maximum  limit  of  pre¬ 
viously  evaluated  points,  we  limit  the  complexity  to  a  constant.  Such  is  the 
approach  taken  in  MLLO-RIQ. 

MLLO-RIQ  (see  Program  3)  begins  with  a  locally  minimized  random  point 
and  a  maximum  search  radius.  Together  these  define  our  initial  hypersphere. 
With  each  iteration,  a  decision  procedure  (DECISI0N2)  finds  an  approximately 
optimal  next  point  to  locally  optimize  within  this  hypersphere.  If  the  new  point 
has  a  lesser  function  value  than  the  center,  it  becomes  the  new  center  and  the 
distance  between  the  two  points  becomes  the  new  hypersphere  radius.  If  too 
many  points  are  being  considered  in  DECISI0N2,  a  lesser  amount  of  points  closest 
to  center  are  retained  and  the  search  radius  is  adjusted.  This  information-based 
local  optimization  terminates  when  the  number  of  times  the  center  minimum  is 
found  by  local  optimization  exceeds  a  threshold.  Then  the  process  repeats  with 
a  new  random  point.  Thus  we  perform  a  random  search  of  information-based 
local  optimizations  of  quasi-Newton  local  optimizations. 


Program  1  Simple  information-based  global  optimization 
H  =  []; 

newx  :=  random  point  in  search  space 
fx  :=  f(newx) 

if  fx  =  0  then  terminate  with  signal  UNSAFE 
H  :=  append (H, [newx.fx] ) 
loop  forever 

newx  :=  DECISIONl(H,lbound,ubound) 
fx  :=  f(newx) 

if  fx  =  0  then  terminate  with  signal  UNSAFE 
H  :=  append (H, [newx, fx] ) 
end  loop 


Program  2  MLLO-IQ 
H  =  []; 

newxl  :=  random  point  in  search  space 
[newx2,fx]  :=  L0(f, newxl) 

if  fx  =  0  then  terminate  with  signal  UNSAFE 
H  :=  concatenate (H, [[newxl, fx] , [newx2,fx]] ) 
loop  forever 

newxl  :=  DECISIQN1 (H,lbound,ubound) 
[newx2,fx]  :=  L0(f, newxl) 

if  fx  =  0  then  terminate  with  signal  UNSAFE 
H  :=  concatenated!,  [[newxl, fx]  ,  [newx2,fx]]) 
end  loop 


4  Experimental  Results 

We  now  compare  our  information-based  approaches  to  those  considered  in  our 
previous  comparative  study.  See  [1]  for  details  and  references.  Our  first  tests 
all  made  use  of  the  same  quasi-Newton  local  optimization  method  where  appli¬ 
cable.  100  optimization  trials  were  performed  for  each  objective  function  with 
a  maximum  of  10000  function  evaluations  permitted  per  trial.  Each  objective 
function  was  offset  (if  necessary)  to  have  a  global  minimum  value  of  0.  A  suc¬ 
cessful  trial  was  one  in  which  the  optimization  procedure  found  a  point  with 
function  value  less  than  .001  within  10000  function  evaluations.  This  simulates 
situations  where  one  is  seeking  a  rare  failure  case  in  /.  Each  entry  in  the  ta¬ 
ble  of  results  (Figure  4)  shows  the  number  of  successful  trials  (upper  left)  and 
the  average  number  of  function  evaluations  for  such  trials  (lower  right)  for  each 
optimization  procedure  (rows)  and  objective  function  (columns). 

Both  MLLO-IQ  and  MLL0-RIQ  perform  very  well  in  general.  What  is  most  in¬ 
structive  from  these  results  are  the  cases  where  the  strengths  and  weaknesses  of 
these  methods  are  most  prominently  displayed.  Let  us  first  consider  RAST,  the 
Rastrigin  function.  RAST  is  a  2-D,  sinusoidally-modulated,  shallow  paraboloid 
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Program  3  MLLO-RIQ  _ 

H  =  []  ;  radius  :  =  maxradius 
loop  forever 

x  :=  random  point  in  search  space 
[center , centerval]  :=  L0(f,x) 

if  centerval  =  0  then  terminate  with  signal  UNSAFE 
H  :=  concatenated!,  [[x, centerval]  ,  [center, centerval]]) 
sort  pairs  in  H  in  ascending  order  of  I  If irst (pair) -center  I  I 
H’  :=  up  to  first  (minpts)  pairs  of  H 
centerhits  : =  0 

while  centerhits  >  maxcenterhits 
recenter  :=  false 

newxl  :=  DECISI0N2(H’ .center, radius) 

[newx2,fx]  :=  L0(f, newxl) 

if  fx  =  0  then  terminate  with  signal  UNSAFE 
if  | |newx2-center I  I  <  tolerancel  then 
centerhits  :=  centerhits  +  1 
if  centerval  -  fx  >  tolerance2  then 

radius  :=  min (maxradius ,  I Inewx2-center II ) 

center  :=  newx2;  centerval  :=  fx;  centerhits  :=  0;  recenter  :=  true 
H  : =  concatenate (H , [ [newxl , f x] , [newx2 , f x] ] ) 

H’  :=  concatenated!,  [[newxl, fx]  ,  [newx2,fx]]) 
if  length (H’)  >  maxpts  then 
recenter  : =  true 
if  recenter  then 

sort  pairs  in  H  in  ascending  order  of  I  I  first (pair) -center  I  I 
H’  :=  up  to  first  (minpts)  pairs  of  H 
end  while 
end  loop 


with  49  local  minima  within  the  search  bounds.  The  quasi-Newton  local  op¬ 
timization  layer  of  MLLO-IQ  and  MLLO-RIQ  effectively  transforms  this  objective 
function  /  into  a  shallow  paraboloid  of  plateaux  /'.  MLLO-IQ’s  global  information- 
based  search  of  /'  finds  the  lowest  plateau  very  quickly,  and  the  local  information- 
based  search  of  MLLO-RIQ  does  a  focussed  descent  which  leads  it  to  the  global 
minimum  with  even  greater  efficiency.  This  suggests  that  these  searches  are  par¬ 
ticularly  well-suited  to  global  optimization  of  functions  with  a  moderate  number 
of  local  minima.  For  functions  with  fewer  local  minima  (HUMP,  G-P,  and  GWl), 
there  is  little  to  be  gained  by  such  extra  computation.  Random  local  optimization 
(RANDLO)  will  suffice. 

Now  let  us  consider  the  weaknesses  of  these  methods  shown  in  failed  cases 
with  GW100.  Indeed  the  performance  of  these  methods  is  worse  than  random  local 
optimization.  Why?  GW100  is  a  6-D,  sinusoidally-modulated,  shallow  paraboloid 
with  about  4  x  107  local  minima.  For  this  function,  our  quasi-Newton  local 
optimization  exhibits  interesting  and  unexpected  behavior:  In  all  but  the  lowest 
points  of  the  surface,  local  optimization  most  often  leads  to  local  minima  that 
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Fig.  4.  Successful  trials  and  average  function  evaluations  for  each  global  optimization 
procedure  and  test  function 


are  far  from  those  nearby  the  initial  point.  In  this  example,  we’re  reminded  that 
“local”  in  “local  optimization”  refers  to  properties  of  the  optimum  itself  and 
not  the  “nearness”  of  the  optimum  location.  Without  such  nearness,  the  search 
landscape  is  not  simply  transformed  into  a  landscape  of  plateaux.  Our  quasi- 
Newton  local  optimization  didn’t  optimize  to  near  minima,  and  so  created  a 
landscape  which  was  not  suited  for  information-based  global  optimization. 

MLLO-RIQ  also  has  difficulty  with  GW100,  but  for  different  reasons.  After 
quickly  finding  the  region  containing  the  global  minimum,  the  method  spends 
much  of  the  remainder  of  its  search  effort  first  searching  many  points  mutually 
far  apart  near  the  boundary  of  the  6-D  hypersphere.  Perhaps  randomly  sam¬ 
pling  /  or  /'  within  the  search  hypersphere  might  encourage  convergence.  SALO 
remains  our  best  option  for  functions  with  a  large  number  of  local  minima. 

While  these  functions  may  give  a  general  indication  of  the  relative  strengths 
of  these  methods  (without  tuning) ,  the  functions  share  a  common  property  un¬ 
desirable  for  our  purposes:  The  unconstrained,  global  minimum  is  never  located 
at  or  beyond  the  bounds  of  the  search  space.  Therefore,  our  optimization  meth¬ 
ods  need  not  perform  well  along  the  bounds  of  our  search  space.  It  is  for  this 
reason  that  unconstrained  quasi-Newton  local  optimization  was  suitable  for  use 
with  such  global  optimizations.  We  used  this  as  an  opportunity  to  try  two  con¬ 
strained  LO  procedures  CONSTR  and  YURETMIN  for  the  2-D  stepper  motor  test 
problems  STEP1  and  STEP2  [1]  (see  Figure  5).  STEP1  takes  as  input  two  param¬ 
eters  (viscous  friction  and  load  inertia)  of  the  stepper  motor  model,  simulates 
acceleration  of  the  motor,  and  performs  a  simple  heuristic  evaluation  of  the  tra¬ 
jectory  by  computing  the  minimum  distance  to  a  stall  state  (0  if  stalled).  One 
could  incorporate  more  sophisticated  understanding  of  a  problem  domain  into 
one’s  heuristic  function,  but  computing  the  minimum  distance  to  an  undesirable 
state  is  simple  and  effective  for  our  purposes.  STEP2  is  STEP1  logarithmically 
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scaled  so  as  to  focus  on  the  unsafe  region  of  the  parameter  space.  These  test 
functions  were  chosen  for  their  difficulty.  For  this  testing,  we  performed  10  trials 
to  find  a  function  value  of  0  with  a  maximum  of  1000  function  evaluations  per 
trial.  The  results  appear  in  the  tables  of  figure  6. 


(a)  STEPl 


(b)  STEP2 


Fig.  5.  Stepper  Motor  Test  Functions 


These  results  were  very  pleasing.  MLLO-IQ  is  the  first  technique  we’ve  ob¬ 
served  that  has  succeeded  in  every  STEPl  and  STEP2  trial.  It  does  so  with  excel¬ 
lent  efficiency  as  well.  Since  the  decision  procedure  computation  time  was  also 
dominated  by  simulation  time,  it  was  also  easily  the  fastest  algorithm  for  these 
trials.  MLLO-RIQ  did  surprisingly  well  considering  that  most  of  the  search  space 
of  these  functions  slopes  downward  and  away  from  the  corner  of  the  space  where 
the  rare  failure  cases  occur. 

5  Conclusions 

A  powerful  approach  to  initial  safety  verification  is  to  transform  the  problem 
into  an  optimization  problem  and  leverage  the  power  of  efficient  optimization 
methods.  This  transformation  is  accomplished  through  a  heuristic  evaluation 
function  /  which  takes  an  initial  state  as  input,  simulates  the  corresponding 
trajectory,  and  evaluates  the  trajectory,  returning  zero  if  the  trajectory  is  unsafe, 
or  a  strictly  positive  ranking  of  the  relative  safety  of  the  trajectory  otherwise. 
Initial  safety  verification  is  then  a  matter  of  whether  or  not  the  global  minimum 
of  /  for  all  possible  initial  states  is  strictly  positive.  Our  simple  heuristic  function 
computes  the  minimum  distance  from  a  trajectory  to  an  unsafe  state,  but  deeper 
understanding  of  the  problem  domain  may  be  incorporated  as  well. 

Although  we  have  not  investigated  the  applicability  of  optimization  to  non- 
deterministic  hybrid  systems,  we  believe  such  techniques  are  applicable  to  a 
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Fig.  6.  Results  for  STEP1  and  STEP2 


broader  class  of  deterministic  hybrid  systems  than  we  have  demonstrated.  Use 
of  problem  domain  knowledge  to  construct  a  heuristic  function  and  choose  global 
and  local  optimization  techniques  should  expand  the  frontier  of  solvable  hybrid 
system  problems.  Optimization  techniques  which  are  robust  with  respect  to  dis¬ 
continuities  should  be  used  for  most  hybrid  system  initial  safety  problems. 

From  the  previous  comparative  study  [1],  we  noted  that  most  global  op¬ 
timization  methods  throw  away  most  of  the  information  gained  in  the  course 
of  optimization.  For  our  purposes,  each  evaluation  of  /  requires  a  simulation 
which  may  be  computationally  expensive,  so  we  are  particularly  motivated  to 
make  good  use  of  such  information  in  order  to  reduce  the  function  evaluations 
needed.  To  this  end,  we  have  introduced  two  new  information-based  global  op¬ 
timization  methods  MLLO-IQ  and  MLLO-RIQ  which,  under  certain  assumptions 
and  constraints,  make  approximately  optimal  use  of  information  gained  in  the 
course  of  optimization.  Our  decision  procedure  is  biased  towards  approximately 
optimal  average-case  behavior  for  a  subclass  of  continuous  heuristic  functions. 

While  no  global  optimization  procedure  in  our  studies  was  generally  dom¬ 
inant,  we  note  that  random  local  optimization  seems  best  suited  for  heuristic 
functions  with  few  minima,  SALO  [8]  seems  best  suited  for  heuristic  functions 
with  very  many  local  minima,  and  MLLO-IQ  and  MLLO-RIQ  seem  best  suited 
for  low-dimensional  heuristic  functions  with  a  moderate  number  of  local  min¬ 
ima.  MLLO-IQ  and  MLLO-RIQ  appear  better  suited  for  problems  where  the  global 
minima  are  expected  to  occur  at  and  within  the  bounds  of  the  search  space 
respectively. 

Finally,  we  note  that  the  computational  effort  invested  toward  efficient  op¬ 
timization  should  be  compensated  by  reduced  overall  runtime.  For  our  prob- 
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lem,  the  computational  expense  of  our  simulation  justified  such  effort.  But  what 
of  initial  safety  problems  for  which  simulation  requires  less  runtime?  Setting 
maxpts  =  0  for  Function  1  yields  random  decisions.  As  maxpts  — >  oo,  our  de¬ 
cisions  approach  optimality  and  the  decision-making  effort  exceeds  the  search 
effort  it  saves.  Where  is  the  happy  medium  in  this  tradeoff?  In  future  research, 
we  hope  to  investigate  means  of  dynamically  adjusting  the  level  of  strategic  ef¬ 
fort  of  such  information-based  algorithms  in  order  to  address  a  larger  class  of 
problems  efficiently. 
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Abstract.  Motivated  by  an  example  from  aircraft  conflict  resolution 
we  seek  a  methodology  for  synthesizing  controllers  for  nonlinear  hybrid 
automata.  We  first  show  how  game  theoretic  methodologies  developed 
for  this  purpose  for  finite  automata  and  continuous  systems  can  be  cast 
in  a  unified  framework.  We  then  present  a  conceptual  algorithm  for  ex¬ 
tending  them  to  the  hybrid  setting.  We  conclude  with  a  discussion  of 
computational  issues. 


1  Introduction 

In  the  first  part  of  this  paper  we  present  a  motivating  example:  we  describe  an 
iteration  process  to  calculate  the  maximal  set  of  safe  initial  conditions  for  a  two- 
aircraft  maneuver.  In  the  second  part  we  show  that  verification  of  the  safety  of 
continuous  nonlinear  systems  using  the  Hamilton-Jacobi-Bellman  equation  may 
be  considered  as  the  continuous  analog  of  infinite  games  on  finite  automata. 
In  the  third  part  we  present  a  conceptual  algorithm  for  calculating  maximal 
controlled  invariant  sets  for  nonlinear  hybrid  systems,  and  we  conclude  with  a 
brief  discussion  of  computational  issues. 

The  idea  of  posing  the  controller  synthesis  problem  as  a  discrete  game  be¬ 
tween  the  system  and  its  environment  is  attributed  to  Church  [1],  who  was 
studying  solutions  to  digital  circuits.  The  solution  to  this  problem  using  a  ver¬ 
sion  of  the  von  Neumann-Morgenstern  discrete  game  [2]  is  due  to  Biichi  and 
Landweber  [3]  and  Rabin  [4].  [5]  also  discusses  games  on  automata.  A  compre¬ 
hensive  modern  survey  of  infinite  discrete  games  on  automata  is  presented  in  [6] 
and  [7].  Controller  synthesis  on  timed  automata  was  first  developed  in  [8]  and 
[9] .  An  algorithm  for  controller  synthesis  on  linear  hybrid  automata  is  presented 
in  [10].  The  notion  of  control  invariance  for  continuous  systems  is  described  in 
[11],  and  control  invariance  for  hybrid  systems  is  discussed  in  [12]. 

The  study  of  differential  equations  in  game  theory  was  first  motivated  by 
military  problems  in  the  U.S.  Air  Force  (aircraft  dog  fights,  target  missiles)  and 
was  initially  developed  by  Isaacs  in  the  1940’s  and  50’s  [13].  An  excellent  modern 

*  Research  supported  by  NASA  under  grant  NAG  2-1039,  by  the  California  PATH 
program  under  MOU-238  and  MOU-288,  and  by  a  Zonta  Postgraduate  Fellowship. 
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reference  is  [14] .  Our  motivation  for  this  work  arose  out  of  attempting  to  verify 
the  safety  of  a  class  of  conflict  resolution  maneuvers  for  aircraft,  in  [15].  Similar 
previous  work  is  that  of  [16],  in  which  game  theoretic  methods  were  used  to 
prove  safety  of  a  set  of  maneuvers  for  Automated  Highway  Systems. 

Let  us  first  introduce  some  basic  notation.  Let  PC0  denote  the  space  of  piece- 
wise  continuous  functions  over  R,  and  PC 1  the  space  of  piecewise  differentiable 
functions  over  R. 


Entity 

Discrete 

Continuous 

State  Space 

Q 

Rn 

Input  Sets 

£q  x  Xi 

UxD 

Input  Space 

x  z? 

U  x  V  C  PCU  x  PCU 

Transition  Relation 

6  :  Q  x  b0  x  Ei  -*•  2y 

/  :  Mn  x  U  x  V  -*  Rn: 

Vr,x(r)  =  /(x(r),u(r),d(r)) 

System  Trajectory 

(7,So,Si)  eC“xr0“x 

l[i  +  1]  €  $(7[*].So[*]»«i[*1) 

(*(•),!»(•),<*(•))  6  PC1  xUxV: 
Vr,  i(r)  =  f(x(r),u(T),d(r)) 

Acceptance  Conditions 

□F;  OG 

Vr,x(r)  €  F;  3 t,x(t)  €  G 

2  Motivating  Example 

Consider  a  variation  of  the  two  aircraft  collision  avoidance  problem  of  [15],  in 
which  there  are  two  modes  of  operation:  a  cruise  maneuver  in  which  both  aircraft 
follow  a  straight  path,  and  an  avoid  maneuver  in  which  both  aircraft  follow  a 
circular  arc  path.  The  protocol  of  the  maneuver  is  that  as  soon  as  the  aircraft  are 
within  a  distance  a  of  each  other,  each  aircraft  turns  90°  to  its  right  and  follows 
a  half  circle.  Once  the  half  circle  is  complete,  each  aircraft  returns  to  its  original 
heading  and  continues  on  its  straight  path  (Figure  1).  Safety  is  defined  in  terms 
of  the  relative  distance  between  the  two  aircraft:  throughout  the  maneuver  the 
aircraft  must  remain  at  least  5  miles  apart.  In  this  section,  we  calculate  the 
largest  set  of  initial  conditions  of  the  system  which  render  this  maneuver  safe, 
implicitly  determining  the  parameter  a  in  the  process. 

In  each  mode,  the  nonlinear  dynamics  may  be  expressed  in  terms  of  the 
relative  motion  of  the  two  aircraft  (equivalent  to  fixing  the  origin  of  the  relative 
frame  on  aircraft  0  and  studying  the  motion  of  aircraft  1  with  respect  to  aircraft 
0): 


Xr  =  -Vo  +  Vi  COS  <j>r  +  LOoVr 

yr  =  V\  sin  <j)r  —  u)oxr  (1) 

(f>r  =  U>1  —  U>0 

in  which  (xr,yr,(f)r)  is  the  relative  position  and  orientation  of  aircraft  1  with 
respect  to  aircraft  0,  and  u,  and  u>i  are  the  linear  and  angular  velocities  of  each 
aircraft.  In  mode  1,  w*  =  0  for  i  =  0, 1  and  in  mode  2,  w*  =  1  for  i  =  0, 1.  The 
control  input  is  defined  to  be  the  linear  velocity  of  aircraft  0,  u  =  v0  €  U,  and  the 
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Fig.  1.  Two  aircraft  in  two  modes  of  operation:  in  mode  1  the  aircraft  follow  a  straight 
course  and  in  mode  2  the  aircraft  follow  a  half  circle.  The  initial  relative  heading  (120°) 
is  preserved  throughout. 


disturbance  input  as  that  of  aircraft  1,  d  =  Vi  €  D,  where  U  and  D  are  called  the 
control  and  disturbance  sets  and  denote  the  range  of  possible  linear  velocities  of 
each  aircraft.  Such  a  situation  could  arise,  for  example,  in  an  airborne  collision 
avoidance  algorithm  in  which  the  flight  management  system  of  aircraft  0  wishes 
to  compute  the  parameters  no  and  a  of  its  avoidance  maneuver  and  can  only 
predict  the  velocity  of  aircraft  1  to  within  some  uncertainty. 

We  define  the  region  at  which  “loss  of  separation”  occurs  as  a  5-mile-radius 
cylinder  around  the  origin  in  the  ( xr,yr,<j>r )  space: 

G  =  {(zr, l lr)  €  1 2,<t>r  e  [— 7T, 7r)  |  x\  +  y2r  <  52}  (2) 

This  region  is  referred  to  in  the  pursuit-evasion  game  literature  as  the  capture 
set. 

We  now  describe  pictorially  the  calculation  of  the  largest  set  of  initial  con¬ 
ditions  (xr(0),  2/r(0))  €  E2  which  render  the  maneuver  safe.  Consider  the  four 
consecutive  plots  of  Figure  2.  Aircraft  0  is  at  the  origin  of  the  relative  axis,  and 
G  is  the  capture  set.  Since  in  both  mode  1  and  mode  2  the  relative  orientation 
between  the  two  aircraft  is  constant  (4>r  =  0),  the  value  of  cj)r  acts  as  a  parameter. 
We  therefore  consider  the  maneuver  in  the  ( xr,yr )  plane. 

In  the  first  plot,  the  set  V*  denotes  the  winning  states  for  aircraft  1  in  mode 
1:  those  states  from  which  for  all  possible  actions  of  aircraft  0,  aircraft  1  has  an 
action  which  can  drive  it  into  G: 

v*  =  {(xr(0),  yT( 0))  I  3 T  €  [0,  oo),  ( xr{r ),  yr(r))  6  G}  (3) 

where  x(t)  evolves  according  to  the  dynamics  in  mode  1. 

Plot  2  illustrates  V% ,  the  winning  states  for  aircraft  1  in  mode  2  with  the 
stipulation  that  the  aircraft  remain  in  mode  2  for  exactly  7r  seconds  (to  complete 
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the  half  circle): 

V£  =  {(*r(0),2/r(0))  |  3 It  G  [0,  tt],  (xr(r),yr(r))  G  G}  (4) 

where  x(t)  evolves  according  to  the  dynamics  in  mode  2. 

Plot  3  illustrates  the  set  transformed  into  the  relative  frame  for  mode 

2  (this  reset  map  ri(-)  rotates  every  state  in  mode  1  by  90°,  corresponding  to 

aircraft  0  at  the  origin  of  the  relative  frame  rotating  by  —90°  when  switching 
from  mode  1  to  mode  2).  The  intersection  ri(F1*)  f)  V% ,  shown  as  the  darker 
shaded  area  of  plot  3,  represents  those  states  which  are  potentially  unsafe,  since 
outside  of  this  intersection,  the  aircraft  may  always  switch  modes  to  achieve 
safety.  Plot  4  displays  V*,  the  minimal  unsafe  set.  Note  that  the  set  of  states 
ri(V’i*)  fl  has  been  removed  from  the  unsafe  set  of  states  at  this  step 

of  the  iteration  by  flowing  the  dynamics  of  mode  1  forward  in  time,  and  then 
switching  from  mode  1  to  mode  2  before  the  system  enters  G. 

In  the  calculation  of  the  minimal  unsafe  set  of  Figure  2,  the  control  and 
disturbance  sets  U  and  D  are  singletons:  both  u  =  vo  and  d  =  v \  are  given. 
Thus  in  this  example  the  action  refers  only  to  a,  the  minimum  relative  distance 
at  which  the  aircraft  must  switch  to  mode  2,  since  we  have  fixed  the  velocities 
of  the  two  aircraft  at  known  values.  In  the  remainder  of  the  paper,  we  formalize 
this  calculation  for  arbitrary  control  and  disturbance  sets,  arbitrary  nonlinear 
equations  describing  the  continuous  dynamics,  and  arbitrary  invariant  conditions 
for  the  discrete  modes. 

3  Verifying  safety  in  continuous  systems:  a  comparison 
with  discrete  □-  and  O-games 

3.1  Infinite  Games  on  Finite  Automata 

We  summarize  a  class  of  two-player  games  on  finite  automata,  in  which  the  goal 
of  Player  0  is  to  force  the  system  to  remain  inside  a  certain  “good”  subset  of 
the  state  space,  and  the  goal  of  Player  1  is  to  force  the  system  to  leave  this 
same  subset.  We  describe  the  iteration  process  for  calculating  the  set  of  states 
from  which  Player  0  can  always  win,  and  the  set  of  states  from  which  Player  1 
can  always  win.  We  then  show  how  this  iteration  process  can  be  written  as  a 
difference  equation  for  a  value  function,  similar  to  the  Hamilton- Jacobi-Bellman 
equation  for  differential  games  on  continuous  systems. 


System  Definition  and  Winning  Condition  We  consider  two  players  P0 
and  Pi,  playing  over  a  game  automaton  of  the  form: 


(Q,£,6,Q  „,/?)  (5) 

where  Q  is  a  finite  set  of  states,  E  is  a  finite  set  of  actions,  6  :  Q  x  E  — »  2Q  is  a 
partial  transition  relation,  Qq  C  Q  is  a  set  of  initial  states,  and  J?  is  a  trajectory 
acceptance  condition.  The  set  of  actions  is  the  product  of  two  sets  E  =  Eq  x  E\ 


364 


Fig.  2.  Showing  the  successive  calculation  of  the  minimal  unsafe  set. 


where  S *  contains  the  action  of  P* ,  so  that  each  transition  between  states  depends 
on  a  joint  action  (ao,a\)  of  Po  and  Pi.  In  what  follows,  So  will  be  the  set  of 
actions  of  the  controller,  and  S1  will  be  the  set  of  actions  of  the  environment 
(or  disturbance). 

A  system  trajectory  is  an  infinite  sequence  of  states  and  actions,  (7,  so,  «i)  £ 
Qu  x  Sq  x  S'f,  which  satisfies: 

7[0]  €  Q0  and  7 [i  +  1]  £  tf(7[*],*o[*],Si[*])  (6) 

We  will  consider  two  kinds  of  trajectory  acceptance  conditions:  (7  =  (OF) 
(meaning  that  Vi, 7(1]  £  P),  and  its  dual  1?  =  (OG)  (meaning  that  3i,7[i]  €  G), 
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where  F  and  G  are  subsets  of  Q.  P0  wins  the  game  if  the  trajectory  satisfies  OF, 
otherwise  Pi  wins.  To  illustrate  the  duality  between  the  two  kinds  of  acceptance 
conditions  we  assume  that  Pl  wins  the  game  fl  =  (OG)  if  the  trajectory  satisfies 
O  G. 


State  Space  Partition  Consider  the  acceptance  condition  Q  =  (OF).  The 
winning  states  for  Po  are  those  states  W*  C  P  from  which  P0  can  force  the 
system  to  stay  in  F.  The  set  W*  can  be  calculated  as  the  fixed  point  of  the 
following  iteration  (using  a  negative  index  i  £  Z_  to  indicate  that  each  step  is  a 
predecessor  operation): 


W°  =  F 

W*-1  =  Wi  n  {q  £  Q  I  3ff0  €  F0  V<n  £  S(q,  (a0,a i))  C  W{} 


(7) 


The  iteration  terminates  when  Wl  =  W4_1  =  W*.  At  each  step  of  the  iteration, 
the  set  Wl  contains  those  states  for  which  Pq  has  a  sequence  of  actions  which 
will  ensure  that  the  system  remains  in  F  for  at  least  i  steps,  for  all  possible 
actions  of  Pi . 

Now  consider  the  acceptance  condition  Q  =  (O G).  The  winning  states  for  Pi 
are  those  states  V*  O  G  from  which  Pi  can  force  the  system  to  visit  G.  It  can 
be  calculated  iteratively  by: 


V°  =  G 

V*-1  =ViU{qeQ\3(r1eIi1  Va0  £  P0  S(q,  (<r0,<n))  C  V'} 


(8) 


terminating  when  Vi  =  V^1  =  V*.  Here,  Vi  contains  those  states  for  which 
Pi  has  a  sequence  of  actions  which  will  ensure  that  the  system  touches  G  in  at 
most  i  steps,  for  all  possible  actions  of  Pq. 


The  Value  Function  For  the  acceptance  condition  fi  =  (DP),  we  inductively 
define  a  value  function: 


J(q,i):Qx  Z_^{0,1} 


(9) 


(10) 

In  other  words,  W*  =  {q  £  Q  \  J(q,i)  =  1).  Recall  that  Po  is  trying  to  keep  the 
system  in  F  while  Pi  is  trying  to  force  the  system  to  leave  F.  Therefore, 


max  min  min 

<?o  &i  q*  ES(q,crotai) 


1  if  3cto  that  Vcri,8(q, <r0,o"i)  C  Wl 
0  otherwise 


(11) 


The  min3<€j(gi<r0i(7l)  in  the  above  compensates  for  the  nondeterminism  in  6,  and 
the  notation  maxff0  minCTl  means  that  Pq  plays  first,  trying  to  maximize  the 
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minimum  value  of  J(-).  P\  has  the  advantage  in  this  case,  since  it  has  “prior” 
knowledge  of  Po’s  action  when  making  its  own  choice.  Therefore,  in  general, 

maxmin  min  «/(•)<  minmax  min  J{- )  (12) 

ao  <7i  q<  €S(q,  <7o,  ffi)  ai  <70  q'€6(q,<7  o,<7i) 

with  equality  occurring  when  the  action  {ao,cn)  is  a  saddle  solution,  or  a  no 
regret  solution  for  each  player.  Here  we  do  not  need  to  assume  the  existence  of 
a  saddle  solution,  rather  we  always  give  advantage  to  Pi,  the  player  doing  its 
worst  to  drive  the  system  out  of  F. 

The  iteration  process  (7)  may  be  summarized  by  the  difference  equation: 

J(q, i  —  1)  -  J(q, i)  =  min{0, maxmin[  min  J(q' ,i)  —  J(q,i)]}  (13) 

<?0  <?i  q'  E6(q,<TQ,<ri) 

which  describes  the  relationship  between  the  change  in  J(-)  due  to  one  step  of  the 
iteration  and  the  change  in  J(-)  due  to  one  state  transition.  The  first  “min”  in 
equation  (13)  prevents  states  outside  W 1  that  can  be  forced  by  Pq  to  transition 
into  W1  from  appearing  in  W1~1 . 

To  calculate  the  set  of  winning  states  W*  for  Po  we  iterate  equation  (13)  until 
a  fixed  point  is  reached,  i.e.  until  for  all  q  G  Q,  J(q,i  —  1)  =  J(q,i )  =  J*(q)- 

Proposition  1  (Winning  States  for  Po)  A  fixed  point  J*  (q)  of  (13)  is  reached 
in  a  finite  number  of  iterations.  The  set  of  winning  states  for  P0  is  W*  ={g£ 

QTO  =  !}• 

Definition  1  (Po-contr°lled  invariant  set)  A  subset  W  C  Q  is  called  So- 
controlled  invariant  if  Vsi  €  Sf ,  3s0  €  Sq  such  that  for  the  system  trajectory 
(7, so,si)  €  Qu  x  Eq  x  Ef ,  7  remains  in  W. 

Proposition  2  (Characterization  of  W*)  W*  is  the  largest  Eo-controlled  in¬ 
variant  subset  of  F. 

A  feedback  controller  for  <r0  that  renders  W*  invariant  can  now  be  con¬ 
structed.  For  all  q  €  W*  the  controller  allows  only  the  aQ  G  E0  for  which: 

min  min  J*(q')  =  1 

<7l  q'£6(q,<r  o,tri) 

Existence  of  such  cr0  for  all  q  G  W*  is  guaranteed  by  construction.  This  control 
scheme  is  in  fact  “least  restrictive” . 

An  algorithm  for  calculating  V*  can  be  constructed  similarly.  If  G  =  Fc,  the 
second  game  {Q  =  (OG))  is  the  dual  of  the  first  game  (Q  =  (DP))  in  the  sense 
that  if  the  sequence  of  actions  (so,si)  Gf^x  Ef  of  the  first  game  is  a  saddle 
or  no  regret  solution,  then  V*  —  (W*)c. 
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3.2  Dynamic  Games  on  Nonlinear  Continuous  Systems 

Consider  now  the  dynamic  counterpart  of  the  above  class  of  discrete  games: 
two-player  zero-sum  dynamic  games  on  nonlinear  continuous-time  systems.  The 
acceptance  conditions  considered  here  correspond  to  a  class  of  dynamics  games 
known  as  pursuit-evasion  games.  Player  0  wins  if  it  can  keep  the  system  from 
entering  a  “bad”  subset  of  the  state  space,  called  the  capture  set.  Player  1  wins 
if  it  can  drive  the  state  into  the  bad  set  (if  it  can  capture  Player  0).  As  in 
the  previous  section,  we  describe  the  calculation  of  the  set  of  states  from  which 
Player  0  can  always  win. 

System  Definition  and  Winning  Condition  As  in  the  discrete  case,  we 
consider  two  players  P0  and  Pi ,  but  now  over  nonlinear  systems  of  the  form 

x(t)  =  f{x(t),u(t),d(t))  (14) 

where  x  E  R”  is  the  finite-dimensional  state  space,  u  E  U  C  Ru  is  the  control 
input  which  models  the  actions  of  Po,  d  E  D  C  Rd  is  the  disturbance  input 
which  models  the  actions  of  Pi,  and  /  is  a  smooth  vector  field  over  ffi".  The 
input  set  U  x  D  is  the  analog  of  the  partition  So  x  S\  of  the  discrete  game. 
The  space  of  acceptable  control  and  disturbance  trajectories  are  denoted  by 
U  =  {u(-)  €  PC0  |  u(t)  ef/Vr€t},D=  (d(-)  €  PC0  \  d(r)  eDVtE  R}. 

A  system  trajectory  over  an  interval  I  C  R  is  a  map: 

(x(-),  <),<*(•))  :/->Rn  x  Ux  D  (15) 

such  that  u(-)  E  U,  d(-)  E  V,  x(-)  is  continuous  and  Vr  E  I  where  «(-)  and 
d(-)  are  continuous,  x(r)  =  /(x(r),  u(r),  d(r)).  We  assume  that  the  function 
/  is  globally  Lipschitz  in  x  and  continuous  in  u  and  d.  Then,  by  the  existence 
and  uniqueness  theorem  of  solutions  for  ordinary  differential  equations,  given  an 
interval  7,  the  value  of  x(t)  for  some  t  E  I  and  input  and  disturbance  trajectories 
u(r),d(r)  over  I  there  exists  a  unique  solution  x(-),u(-),d(-)))  to  (14). 

We  define  the  capture  set  as  a  region  G  by  G  =  {x  E  R" \l(x)  <  0}  with 
boundary  dG  =  {x  E  Rn|Z(x)  =  0}  where  l :  Rn  — >  R  is  a  differentiable  function 
of  x  and  Dl(x)  ^  0  on  dG.  Defining  F  =  Gc,  we  say  Po  wins  the  game  if  for  all 
r  E  R,  x(r)  E  F. 

State  Space  Partition  The  winning  states  for  P0  are  those  states  W*  C  Rn 
from  which  P0  can  force  the  system  to  stay  in  F  =  Gc.  Define  the  outward 
pointing  normal  to  G  as: 

v  —  Dl{x)  (16) 

The  states  on  dG  which  can  be  forced  into  G  infinitesimally  constitute  the  usable 
part  (UP)  of  dG[  14].  They  are  the  states  for  which  the  disturbance  can  force  the 
vector  field  to  point  inside  G: 

UP  =  {x  E  dG  |  i 'Tf(x,  u,  d)  <  0} 

Figure  3  displays  a  simple  example,  with  the  UP  of  dG  shown  in  bold. 


(17) 
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Fig.  3.  The  capture  set  G,  its  outward  pointing  normal  u,  and  the  cones  of  vector  field 
directions  at  points  on  dG. 


The  Value  Function  and  Hamilton- Jacobi-Bellman  equation  Consider 
the  system  (14)  over  the  time  interval  [t,  0],  where  t  <  0.  The  value  function  of 
the  game  is  defined  by: 

J(x,  «(•),  d(-),  1) :  In  x  W  x  D  x  E_  — ►  M  (18) 

such  that  J(x,u(-),d(-),t )  =  l(x( 0)).  This  value  function  may  be  interpreted  as 
the  cost  of  a  trajectory  x(-)  which  starts  at  x  at  time  t  <  0,  evolves  according  to 
(14)  with  input  and  ends  at  the  final  state  x(0).  Note  that  the  value 

function  depends  only  on  the  final  state:  there  is  no  running  cost,  or  Lagrangian. 
This  encodes  the  fact  that  we  are  only  interested  in  whether  or  not  the  system 
trajectory  ends  in  G  and  are  not  concerned  with  intermediate  states.  The  game 
is  won  by  P\  if  the  terminal  state  x(0)  belongs  inside  G  (i.e.  J  <  0),  and  is  won 
by  Pq  otherwise. 

Let: 


u*  —  argmaxmin  J(x,u(-),d(-),t)  (19) 

u&U  d£T> 

J*(x,t )  =  max  min  J(x,u(-),d(-),t)  (20) 

u€U  d£T> 

Thus,  the  set  {x  :  J*{x,t)  >  0}  contains  the  states  for  which  the  system  will 
stay  in  F  =  Gc  for  at  least  |  t  \  seconds,  regardless  of  the  disturbance  d.  The 
continuous-time  analog  to  (7),  the  iterative  method  of  calculating  the  winning 
states  for  P0  is  therefore: 


W°  =  GC 

W*  =  (x\J*(x,t)  >  0} 


(21) 
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This  “iteration”  terminates  if  there  exists  a  t*  <  0  such  that  for  all  t  <  t*, 
W*  =  Wr . 

We  compute  J*(x,t )  using  standard  results  in  optimal  control  theory.  First, 
define  the  Hamiltonian  of  the  system  as: 

H(x,p,u,d)  =  pT  f(x,u,d)  (22) 

where  p  is  a  vector  in  Kn  called  the  costate  and  is  equal  to  v  at  the  boundary  of 
G.  The  optimal  Hamiltonian  is  given  by: 

H*  (x,p)  =  max  min  H ( x ,  p,  u ,  d)  (23) 

uEU  d£D 


If  J*(x,t)  is  a  smooth  function  of  x  and  t,  then  it  may  be  calculated  for  all  x 
and  t  using  the  following  partial  differential  equation,  known  as  the  Hamilton- 
Jacobi- Bellman  equation: 


dJ*(x,t) 

dt 


min{0,  H*(x, 


dJ*(x,t) 
dx  )] 


(24) 


with  boundary  condition  J*(x,  0)  =  l(x).  The  derivation  of  equation  (24)  may  be 
found  in  most  textbooks  on  optimal  control,  for  example,  see  [17].  We  added  the 
“min”  to  the  right  hand  side  of  (24)  for  the  same  reason  as  in  the  discrete  case:  we 
want  to  ensure  that  only  the  UP  of  dG  is  propagated  backwards,  so  that  states 
which  are  once  unsafe  cannot  become  safe.  Equation  (24)  is  the  continuous  analog 
to  equation  (13)  of  the  preceding  discrete  game,  and  describes  the  relationship 
between  the  time  and  state  evolution  of  J*(x,t). 


Proposition  3  (Winning  States  for  P0)  If  (21)  reaches  a  fixed  point  at  time 
t* ,  then  the  set  of  winning  states  for  Pq  is  W*  =  {x\J*(x,  t*)  >  0}.  Otherwise, 
W*  =  {z|  J*(x,  —  oo )  >  0}.  In  both  cases,  J*{x,t)  is  the  solution  of  equation 

(H). 

Definition  2  ((/-controlled  invariant  set)  A  subset  W  C  E"  is  called  U- 
controlled  invariant  if3u(-)  £  U  such  that  Vd(-)  6  V,  x(-)  remains  in  W  for  the 
trajectory  (x(-),u{-),d(-)). 

Proposition  4  (Characterization  of  W*)  W*  is  the  largest  U -controlled  in¬ 
variant  set  contained  in  F  =  Gc . 


A  feedback  controller  for  u  that  renders  W*  invariant  can  now  be  constructed. 
The  controller  should  be  such  that  on  dW*  only  the  u  for  which: 


min 

d€D 


(  dJ*(x,  — oo) 

V  di 


are  applied.  In  the  interior  of  W*  u  is  free  to  take  on  any  value  in  U.  Existence 
of  such  u’s  for  x  £  W*  is  guaranteed  by  construction.  This  scheme  is  in  fact 
least  restrictive. 
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4  Controller  synthesis  for  nonlinear  hybrid  systems 

Nonlinear  Hybrid  Automata  A  hybrid  automaton  is  a  tuple:  H  =  ((Q  x 
X),  ( U  x  D),  (Eo  x  Ei),  f,6,  Inv,  ( Q0  x  Xo),  O)  where  Q  is  a  finite  set  of  locations, 
X  =  Kn,  U  C  Ru,  D  C  Md,  E  =  E0  x  Ex  a  finite  set  of  actions,  /  :  Q  x  X  x 
U  x  D  ->  Rn ,  6  :  Q  x  X  x  E0  x  Ei  2QxX ,  Inv  C  Q  x  X ,  Q0  x  X0  Q  Q  x  X  is 
a  subset  of  initial  states,  and  O  is  an  acceptance  condition  (here  fl  =  (OF)  or 
Q  =  (OG)  for  F,  G  C  Q  x  X). 

The  variables  of  the  hybrid  automaton  evolve  continuously  as  well  as  in 
discrete  jumps.  A  hybrid  time  trajectory,  r,  is  a  finite  or  infinite  sequence  of 
intervals  r  =  {/*}  satisfying: 

-  Ii  is  closed  unless  r  is  finite  and  I,  is  the  last  interval  in  the  sequence,  in 
which  case  Ii  can  be  right  open. 

-  Let  Ii  —  [ Ti,T[ ].  Then  r0  =  0  and  for  all  i,  Ti  =  t-_1,  Ti  <  r). 

We  denote  by  T  the  set  of  all  hybrid  time  trajectories. 

A  system  trajectory  is  a  collection  (T,('y(-),x(-)),(u(-),d(-)),(so,Si))  where 
r  £  T,  7  :  r  — ♦  Q,  x(-)  :  r  — >  X,  u(-)  :  r  — >  U,  d(-)  :  r  — ►  D,  So  6  Eft  and 
sj  €  E%  and: 

-  Initial  Condition:  (7(70),  x(tq))  6  Qo  x  X0 

-  Discrete  Evolution:  for  alH,(7(ri+i),x(ri+1))  6  6((-j(tI),x(t-),  (s0[*],  [*]))• 

-  Continuous  Evolution  if  t-  >  Ti,  then  for  all  t  6  [r,, r(],  7 (t)  —  7 (r^), 
x(t)  =  /((7(t),z(f)),(u(t),d(i)))  and  (j(t),x(t))  €  Inv. 

To  ensure  that  the  laws  for  continuous  evolution  are  meaningful  we  impose  the 
same  assumption  on  /  as  in  the  previous  section. 


Calculating  the  Maximal  Safe  Set  Consider  the  acceptance  condition  17  = 
(OF).  We  again  seek  to  construct  the  largest  set  of  states  for  which  the  control 
(in  this  case  both  u  and  uo)  can  guarantee  that  the  acceptance  condition  12  is 
met  despite  the  action  of  the  disturbance  (in  this  case  d  and  <j\).  For  any  set 
K  C  Q  x  X  define  the  controllable  and  uncontrollable  predecessors  of  K  by: 

Preo(K)  =  {( q,x )  S  Q  x  X|3cr0  €  E0  Vcrx  £  Ex  6((q,x),  (<r0,cri))  C  K)  fl  K 
Prei(K)  =  {( q,x )  eQx  X|Vcr0  €  E0  3ai  e  Ex  S((q,x),(a0,oi))  n  Kc  ^  0}  Uifc 

(25) 

In  other  words,  the  controllable  predecessor  of  K,  Preo(K),  contains  all  states 
in  K  for  which  the  controllable  actions  can  force  the  state  to  remain  in  K  for 
at  least  one  step  in  the  discrete  evolution.  The  uncontrollable  predecessor,  on 
the  other  hand,  contains  all  states  in  Kc  as  well  as  all  states  from  which  the 
uncontrollable  actions  may  be  able  to  force  the  state  outside  K.  Clearly: 


Proposition  5  Preo(K)  fl  Prex(K )  =  0. 


371 


Consider  the  algorithm: 

Initialization:  W°  =  F,  W_1  =  0,  i  =  0. 

While  Wi  #  do 

W<_1  =  W{\  {(q,  x)eQx  X\Vu  £  U3t  >0,deT>  such  that 
(7 {t),x(t))  £  Prei(Wz)  and  (7 (t),z(t))  £  Pre0(W*)} 
i  =  i  -  1 


end 

Here  (7 (r),x(r))  for  r  €  [0,  f]  represents  the  continuous  trajectory  starting 
at  (q,  x)  under  inputs  (u,d),  i.e.  (7(0),a:(0))  =  ( q,x )  and  for  all  r,  7 (r)  =  q, 
x(t)  =  /((7(r),a:(r)),(ii(r),d(r))),  and  (7 (r),x(r))  e  Jnu. 

The  most  challenging  part  of  each  step  of  the  algorithm  is  the  computation 
of  the  set  of  states  that  can  be  driven  by  d  to  Pre\{Wl)  without  first  entering 
Preo(Wi).  This  computation  can  be  carried  out  by  appropriately  modifying  the 
Hamilton- Jacobi-Bellman  construction  of  Section  3.2. 


5  Computational  Issues 

In  practice,  the  usefulness  of  the  proposed  synthesis  algorithm  depends  on  our 
ability  to  efficiently  compute  solutions  the  Hamilton-Jacobi-Bellman  equation. 
We  conclude  this  paper  with  a  brief  discussion  of  some  of  the  computational 
issues  which  we  are  currently  investigating. 

Numerical  methods  for  computing  solutions  to  the  Hamilton-Jacobi-Bellman 
PDE  have  been  studied  extensively:  a  survey  paper  [18]  presents  a  set  of  com¬ 
putation  schemes  based  on  a  level  set  method  for  propagating  curves,  which 
uses  numerical  techniques  derived  from  conservation  laws.  The  approach  re¬ 
quires  gridding  the  state  space,  so  while  these  techniques  have  been  shown  to 
be  efficient  in  two-  or  three-dimensions,  they  may  become  cumbersome  in  higher 
dimensions.  Also,  it  is  essential  that  a  bound  on  the  error  due  to  approximation 
be  known  at  each  step  of  the  algorithm,  in  order  to  guarantee  that  the  computed 
surface  is  a  conservative  approximation  to  the  actual  surface. 

Numerical  solutions  are  potentially  complicated  by  the  fact  that  the  right 
hand  side  of  equation  (24)  is  non-smooth.  This  is  possibly  also  the  case  for  the 
optimal  Hamiltonian  H*(x,p).  Moreover,  as  t  evolves  the  solution  J*(x,t)  to 
the  Hamilton-Jacobi-Bellman  equation  can  develop  discontinuities  (known  as 
shocks)  as  a  function  of  x.  Finally,  it  is  unreasonable  to  assume  that  the  capture 
set  is  always  described  by  a  level  set  of  a  single  differentiable  function  l(x): 
more  generally,  we  should  assume  that  there  exists  a  collection  of  differentiable 
functions  k(x)  where  i  =  1  ...m  such  that  the  capture  set  is  described  by  G  = 
fl^:1{a:  £  IRn  |  h(x)  <  0}.  Computing  solutions  with  discontinuous  Hamiltonian 
functions  is  dealt  with  in  [18]  using  an  evolution  function  which  varies  across  the 
grid  space.  Methods  to  compute  solutions  in  the  presence  of  shocks  are  presented 
in  [19],  and  a  “viscosity”  method  to  avoid  shocks  is  presented  in  [20]. 
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Control  of  engineering  systems  by  computers  is  formulated  as  a  control  synthe¬ 
sis  problem  for  hybrid  control  systems.  An  input-output  hybrid  control  system 
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1  Introduction 

The  purpose  of  this  paper  is  to  present  results  on  control  synthesis  for  a  particular 
class  of  hybrid  control  systems. 

In  this  paper  attention  is  focused  on  control  problems  for  hybrid  systems 
in  which  the  discrete-events  are  subject  to  control  and  in  which  there  are  no 
discrete-events  generated  by  the  environment.  Control  problems  of  this  type 
arise  in  control  of  mechanical  systems,  say  robots,  and  in  control  of  chemical 
plants.  The  main  characteristic  of  such  problems  is  that  the  control  is  supplied  by 
discrete-input-events  and  by  the  continuous  input  to  the  system.  It  differs  from 
control  problems  in  which  the  environment  of  the  system  exclusively  supplies 
the  events. 

A  hybrid  control  system  is  a  control  theoretic  model  for  a  computer  controlled 
engineering  system.  For  the  purposes  of  this  paper  the  definition  of  a  hybrid  con¬ 
trol  system  in  [13]  is  restricted  to  an  input-output  hybrid  control  system  stated 
below.  The  definition  is  inspired  by  those  of  [1,  2].  The  general  control  problem 
for  hybrid  systems  leads  to  a  problem  of  controllability  of  such  systems.  Because 
of  its  generality  this  problem  is  unlikely  to  be  solvable  analytically.  Therefore  a 
sufficient  condition  for  controllability  is  formulated  and  proven  to  achieve  suf¬ 
ficiency.  The  sufficient  condition  separates  controllability  at  the  discrete-event 
level  and  at  the  level  of  the  continuous  systems.  An  advantage  of  this  approach 
is  that  it  is  comparatively  easier  to  check  the  sufficient  condition  than  it  is  to 
check  general  controllability.  For  controllability  of  the  control  systems  at  the 
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continuous  level  results  are  available,  although  for  nonlinear  systems  such  con¬ 
ditions  may  be  difficult  to  verify.  Controllability  conditions  for  an  input-output 
automaton  are  in  principle  straightforward  to  check  although  the  complexity  of 
this  problem  may  be  high.  The  sufficient  condition  for  controllability  of  a  hy¬ 
brid  control  system  is  not  necessary  in  general.  Experience  with  examples  will 
have  to  establish  whether  or  not  the  envisioned  advantages  are  useful  in  control 
problems. 

Control  synthesis  for  hybrid  control  systems  is  discussed  in  several  papers  and 
theses.  The  publications  most  closely  related  to  this  paper  are  briefly  mentioned. 
M.  Branicky  has  proposed  to  use  optimal  control  theory  for  control  synthesis,  see 
[2,  3,  4].  The  existence  of  a  controller  then  follows  from  the  existence  of  a  solution 
to  a  set  of  Bellman-Hamilton-Jacobi  equations.  Conditions  for  the  existence 
are  not  discussed  and  if  formulated  may  be  restrictive  or  difficult  to  check.  In 
contrast  with  that  paper,  the  approach  of  this  paper  has  explicit  conditions  for 
the  existence  of  an  input  sequence.  A.  Deshpande  and  P.  Varaiya  have  a  theory 
on  viable  control  of  hybrid  control  systems,  see  [5,  6].  The  approach  of  those 
papers  is  close  to  the  approach  of  this  paper,  the  latter  paper  presenting  more 
explicit  controllability  conditions.  Other  references  on  controller  synthesis  are 
[7,  8,  9,  10].  For  concepts  and  results  on  control  theory  the  reader  is  referred  to 
the  book  [12]  and  on  automata  and  computation  referred  to  the  book  [11]. 

A  summary  of  the  paper  follows.  Section  2  contains  a  definition  of  an  input- 
output  hybrid  control  system  and  the  problem  formulation.  Controllability  is 
treated  in  Section  3.  Concluding  remarks  are  stated  in  Section  4. 


2  Problem  Formulation  and  Preliminaries 


Remarks  on  notation  follow.  Denote  the  set  of  the  integers  by  Z  —  {1,2,...}  and 
the  natural  numbers  by  N  =  {0, 1,2,.. .}.  For  n  £  Z  denote  Zn  =  {1, 2, . . . ,  n}. 
Denote  the  set  of  the  real  numbers  by  R  and  the  positive  real  numbers  by 
R+  =  [0,  oo). 

A  continuous-time  hybrid  control  system  is  a  tuple 


T ,  Q,  ,  Zjni.  Scd,  Sout,  U,Y,  UC,U  exj 

7,  {Xq,TXq,  Gq,  fq,hq,^q  €  Q} ,  (50,  %q0,o) 


}■ 


where 


(1) 


T  =  R+,  said  to  be  the  time  index  set, 

Q  is  a  finite  set,  the  discrete  state  set, 

Sin  is  a  finite  set,  the  set  of  input  events, 

Sint  is  a  finite  set,  the  set  of  internal  events, 

Scd  is  a  finite  set,  the  set  of  events  generated  by  the  continuous  dynamics, 
S  =  Sin  U  Sint  U  Scd, 

U  C  Rm,  the  continuous  input  space, 

Y  C  Rp  the  continuous  output  space, 

Uc  C  {u  :  T  ->£/},  set  of  continuous  input  functions, 
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Uea!  C  (T  x  E)*  U  (T  x  E)w  the  set  of  external  timed-event  sequences, 
6:TxQxXxE-*Q,  the  discrete  transition  function, 
a,  possibly  partial,  function, 

r :  TxQxQxXxE^X,  the  reset  map,  a,  possibly  partial,  function, 
for  all  q  £  Q, 

Xq  C  Rn",  the  continuous  state  space  at  discrete  state  q  £  Q,  X  -  U qeC}Xq, 
TXq(x)  C  RUq  the  tangent  space  at  a:  £  Xq, 

Gq  :  Ec<i  -»  Pdosed(Xq),  the  guard  at  q  £  Q,  a,  possibly  partial,  function, 
Pciosed(Xq)  denotes  the  closed  subsets  of  Xq, 
f q  \  T  X  Xq  x  JJ  — ^  TXq,  hq  :  T  X  Xq  x  V  y , 

are  functions  that  determine  a  differential  equation  and  a  read-out  map, 
(qo,xq 0,o)  €  Q  x  Xgo  the  initial  state. 

The  dynamics  of  the  hybrid  control  system  is  described  by  the  discrete  transition 
function,  the  reset  map,  the  differential  equation,  and  the  output  map,  according 
to 


q+  =  8(t,q-,x~_,o),  q0,  (2) 

Xq+  =  r(t,  q~ ,  q+,  aT_ ,  a),  (3) 

Xq(t)  =  fq(t,Xq(t),u(t)),  Xq(0)  =  X+ ,  (4) 

y(t)  =  hq(t,xq(t),u(t)).  (5) 

The  operation  of  the  hybrid  control  system  is  described  below.  At  t  —  0  the 


initial  state  is  (qo,Zq0,o)  €  Q  x  Xqo.  Assume  no  immediate  transition  takes 
place  at  t  =  0.  At  the  discrete  state  q  —  qo  the  continuous  dynamics  proceeds 
according  to  the  differential  equation  (4).  It  will  be  assumed  that  for  all  u  £  Uc 
this  differential  equation  has  an  unique  solution  on  R+.  The  solution  will  be 
followed  till  the  next  event.  The  time  interval  till  the  next  event  will  be  denoted 
by  [*0,fi)  f°r  h  €  R+  and  for  subsequent  intervals  by  [tn,tn+ 1)  for  n  £  Z+. 

At  any  time  t  £  T  an  event  may  occur  that  results  in  a  change  of  the  discrete 
state.  The  possible  events  at  discrete  state  q  £  Q  and  at  time  t  €  T  are: 

—  an  input  event  a  €  Ein  occurs  if  such  an  event  is  supplied  on  the  input 
channel; 

—  an  event  generated  by  the  continuous  dynamics  a  £  Ed  occurs  immediately 
when  xq(t—)  €  Gg(cr),  thus  if  the  state  of  the  system  hits  a  guard.  (Here  the 
notation  xq{t—)  =  lims-ft  xq (s)  is  used.) 

If  the  timed-event  (t,  cr\)  occurs  then  the  transition  is  described  by  the  discrete 
transition  function  and  the  reset  map  (2,3).  It  may  be  the  case  that  the  new 
state  (q",x~+)  £  Q  x  Xq+  is  such  that  x~_  £  Gq+  (02)-  In  this  case  the  event 
<72  £  Ed  takes  place  at  the  same  time.  It  will  be  assumed  that  only  a  finite 
number  of  events  can  occur  at  any  time  (non-Zenoness) .  After  the  last  event  of 
the  sequence  of  events  occuring  at  moment  t,  the  new  state  is  (qf,x+  )  where 
xq  r  is  the  initial  condition  of  the  differential  equation  in  the  discrete  state  qj . 
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A  hybrid  control  system  is  said  to  be  time-invariant  if  the  functions  6,  r,  fq,  hq 
do  not  depend  explicitly  on  the  time  index  set.  In  this  paper  attention  is  re¬ 
stricted  to  time-invariant  hybrid  control  systems. 

In  this  paper  attention  is  focused  on  a  control  problem  for  hybrid  control 
systems,  as  in  path  planning  for  robotics.  This  problems  leads  to  controllability 
conditions  for  hybrid  systems  that  may  be  useful  for  other  control  problems. 

Problem  1.  Consider  a  time-invariant  hybrid  control  system.  For  any  initial  and 
terminal  state,  do  there  exist  a  timed-event  sequence  and  a  sequence  of  input 
trajectories 

{(ti,  <7i)  €  T  X  Sin,  J  =  1,  •  ■  •  j  77TS},  {Uj  :  [t {,  tj+l)  t  U ,  2  =  1,...,  J7lsj, 

such  that,  when  the  system  is  supplied  with  these  inputs,  the  system  is  trans¬ 
ferred  from  the  pre-specified  initial  state  to  the  terminal  state? 

The  input  trajectories  should  preferably  be  generated  by  a  control  law  in  the 
form  of  a  controller.  The  controller  itself  should  also  be  hybrid,  it  may  be  taken  to 
be  a  hybrid  control  system.  In  this  paper  attention  is  restricted  to  the  existence 
of  input  sequences,  not  on  the  construction  of  the  controller. 


3  A  Sufficient  Condition  for  Controllability 

Definition  2.  A  hybrid  control  system  is  said  to  be  controllable  if  for  any  pair 
of  states  (qo,xqofi),  (Qf,xgfj)  G  Q  x  X  there  exists  a  timed-event  sequence  and 
a  continuous-input  sequence  such  that  the  system  evolves  from  the  initial  state 
(■ qo,xqo,o )  to  the  final  state  ( qf,xqfj ). 

In  control  theory,  controllability  of  a  control  system  is  a  sufficient  condition  for 
the  existence  of  a  controller. 

What  are  necessary  and  sufficient  conditions  for  a  hybrid  control  system  to  be 
controllable?  First  a  general  sufficiency  condition  is  presented  in  terms  of  arrival 
sets.  Subsequently  it  is  shown  how  to  construct  these  sets. 

Propositions.  Consider  a  hybrid  control  system.  Assume  there  exists  a  collec¬ 
tion  of  sets,  called  arrival  sets, 

AR(q)  =  {AR(q,  i)  C  Xg,Vi  G  ZnJ,  AR  =  {AR(q),\/q  G  Q}  , 
such  that 

1.  for  any  (q,xq>o)  G  Q  x  X  there  exists  a  continuous  input  u  G  Uc  on  the 

interval  a  timed-event  (ti,<7j),  possibly  further  timed-events  at  t\, 

and  (qi,AR(qi,i)),  such  that  the  system  is  transferred  from  state  (q,  xq  o)  to 
a  state  (q1,xgi)  G  Q  x  AR(qi,i); 

2.  for  any  (q0,xqo)  G  Q  x  AR(q0,i),  qf  G  Q,  and  AR{qf,j)  G  AR(qf)  there 
exists  a  finite  sequence  of  timed-events  and  a  finite  sequence  of  continuous 
input  signals 

G  T  x  Xin,  i  =  1, . . . , Til s j,  {ui  :  [f i ,  tj-fi )  t  U,  i  =  l,..., ms } , 
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such  that  the  system  is  transferred  from  state  {q,xg> o)  to  a  state  ( qj,xqf )  £ 
Q  x  AR(qf,j); 

3.  for  any  ( qf,xQfj )  £  Q  x  Xqj  there  exists  an  arrival  set  AR(qf ,  j)  and  for  any 
state  xqft0  £  AR(qf,j),  a  continuous  input  u  £  Uc  such  that  the  system  is 
transferred  from  state  (qf,Xq{,o)  £  Q  x  AR(qf,j)  to  state  (qf,xQfj)  without 
leaving  the  state  space  Xq, . 

Then  the  hybrid  control  system  is  controllable. 

Proof  Consider  ( qo,xgo>0 )  6  QxX  and  ( Qf,xqjj )  £  QxX.  By  condition  1  there 
exists  a  continuous  input,  a  timed-event,  and  a  pair  (qi ,  AR(q1 ,  i)),  such  that  the 
system  is  transferred  from  state  (qo,xg 0)  to  a  state  (<?i,*9l,i)  £  Q  x  AR(q1 , i). 
Prom  Condition  3  then  follows  that  there  exists  a  AR(qf,j)  and  for  any  state 
xqffi  £  AR(qf,j)  a  continuous  input  such  that  the  system  is  transferred  from 
state  (qf,xgffi)  £  Q  x  AR(q/,j)  to  the  state  (qf,xgfj).  From  Condition  2  then 
follows  that  there  exists  a  finite  timed-event  sequence  and  a  finite  sequence 
of  continuous-input  signals  such  that  the  system  is  transferred  from  any  state 
(<7i,2gi,i)  €  <5  x  AR(qi,i)  to  a  state  ( qf,xg}fi )  6  Q  x  AR(qf,m).  The  three 
conditions  together  imply  that  the  system  can  be  transferred  from  the  initial 
state  to  the  terminal  state.  □ 

The  construction  of  the  arrival  sets  requires  the  introduction  of  a  few  definitions. 

Definition  4.  Consider  a  time-invariant  hybrid  control  system.  The  continuous- 
controllability  set  at  state  (q,xg, i)  £  Q  x  X  is  defined  to  be  the  set 

C  -  Cong({xgii}) 

(q,xg,o)  €  Q  X  .Xg | either  xg,0  =  xqA 
or  3  to,ti  €  R+,  t0  <  h,  u£  Uc,  such  that 
xq(t0)  -  xq,o,xg(ti)  =  z9)i,  and  Vf  £  [foTi),  xg(t)  £  Xq 

In  words,  C  —  Cong({xqt i})  is  the  subset  of  the  state  space  {q}  x  Xq  from 
which  one  can  start  and  by  application  of  a  continuous  input  arrive  at  the  state 
(q,  xq,i)  without  ever  leaving  the  state  space  Xq  in  the  interval  [to,  h).  Note  that 
the  definition  explicitly  excludes  the  possibility  that  the  state  trajectory  hits  a 
guard  because  if  it  did  so  then  the  system  would  move  to  another  discrete  state 
and  thus  leave  the  state  space  Xq . 

Let  for  Sq  C  Xq  the  continuous- controllability  set  of  Sq  be  defined  by 
C  CoTlq^Sq)  =  CoTiq  ({#^1 }) . 

Then  for  a  £  Ed 
C  -  Conq(Gq(<j)) 

(q,xqto)  €  Q  x  X | either  xqfi  €  Gq{a) 
or  3  to,t\  £  R+,  to  <ti,uE  Uc,  such  that 
xq{to)  =  Xgfi,xq{ti~)  £  Gg(cr),  and  Vf  £  [t0,ti),  xq{t)  £  Xq 

Definition  5.  Consider  a  time-invariant  hybrid  control  system. 
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a.  For  qi,qj  £  Q  and  a  £  £in  define  the  departure  set  D(qi,a,qj,A  j)  and  the 
collection  of  departure  sets  D(qi)  as 


D(qi,a,qj, 


xqi  €  Xqi  1 3  xqj  £  A+  such  that 
qj=S{qi,  xqi ,  a)  and  xqj  =  r ,  qj ,  xqi ,  a) 


}■ 


£%)  =  {D(qi,a,qj,A+),  Vq3  £  Q,  \/a  £  Eln,  VA+  C  }  . 


In  words,  D(qi,cr,qj,A+)  consists  of  those  states  in  Xq.  at  which,  when 
the  input  event  occurs  at  the  time  the  continuous  state  is  in  this  subset  of 
the  state  space,  the  system  is  transferred  to  the  discrete  state  q-j  and  to  a 
continuous  state  in  A+ .  Note  that  in  the  definition  of  D(qi,a,qj,A+)  both 
qq  and  a  are  required.  Because  an  input  event  can  occur  at  any  time  it  follows 
that  for  qi  £  Q  and  a  £  Ein  the  set 


{D(qi ,  <?,  qj ,  Xq. )  C  Xqi ,  Qj  £  Q } . 

forms  a  partition  of  the  state  space  Xqi.  Let  for  qit  qj  £  Q  and  a  £  Ein 


C  -  Conqi  (D(qu  a,  q3 ,  Xqj )) 

be  the  continuous-controllability  set  of  D(qi,a,qj,Xgj).  In  words,  this  set 
consists  of  all  states  in  Xqi  from  which  one  can  transfer  the  system  by  a 
continuous  input  to  a  state  in  D(qi,a,qj,Xqj)  at  which  the  input  event 
(t  £  £in  can  be  applied  and  as  a  consequence  the  system  moves  to  the  new 
discrete  state  qj. 

b.  For  qi ,  qj  £  Q  and  a  £  £in  U  Ecd  define  the  arrival  set  as 


AR(qi,a, 


2+  £  Xq.  1 3  xq.  £  Xq{  such  that 

Qj  =  HQh  *qi .  °)  and  x+  =  r(q{,  qj,xq. ,  a) 


}■ 


In  words,  AR(qi,cr,  qj)  consists  of  those  states  in  XQj  at  which  one  arrives  in 
set  Xqj  from  the  discrete  state  qi  by  an  event  a  £  Ein  U  Ecd-  Denote 

AR  =  { AR(qi}a,qj )  C  Xqj,  'iql,qj  £  Q  ,  (J  E.  Ein  U  Ec}. 


Terminology  of  discrete-event  systems  is  introduced.  A  discrete-event  system  is 
defined  to  be  a  generator  consisting  of  the  objects  (Q,  E,6,q0),  where  Q  is  a 
finite  set  called  the  state  set,  E  is  a  finite  set  called  the  alphabet,  6  :  Qx  E  -»  Q 
is  a  function  called  the  transition  function  (it  may  be  a  partial  function),  and 
go  €  Q  is  the  initial  state  of  the  system.  Denote  by  E*  the  set  of  all  finite  strings 
with  events  in  E  and  the  empty  string  e  $  E.  Extend  the  transition  function  to 
8  :  Q  x  E*  Q  by  defining  it  for  sequences. 

The  discrete-event  system  is  said  to  be  reachable  if  for  any  qi  £  Q  there  exists 
a  s  £  E*  such  that  qi  =  5(qo,  s ). 

Definition  6.  Consider  a  time-invariant  hybrid  control  system.  Define  the  as¬ 
sociated  arrival  discrete-event  system  (arrival  DES;  actually,  it  is  a  generator) 


as 
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(AR,  Rin  D  Red.)  &AR)  A Rq0 ), 

AR  —  (  AR{q ; .  a .  Qj ')  C  X q. ,  .  qj  G  Q,  <v  G  Rin  w  Red  j  - 

A  J?(^  ,al,qj)=  8  AR  (AR{qk  ,a0,qi),a1) 

f  either  AR(qk,a0,qi)  C  C  -  Con,,  (G9i  (tra)) 

1  \or  AR(qk,a0,qi)  C.  C  -  Conqi(D(qi,ai,qj,Xqj)), 
else  not  defined, 

AR?0  =  AR(qj,a,q0)  if  xqofi  £  AR(qj,a,q0)  €  A/t. 

In  words,  the  transition  takes  place  if  the  arrival  set  AR(qk,ao,qi)  is  fully  con¬ 
tained  in  one  of  the  indicated  continuous-controllability  sets.  In  this  case  it  is 
possible  to  start  in  any  state  of  the  arrival  set  and  to  transfer  the  system  to 
either- a  guard  or  to  a  departure  set  at  which  state  an  event  occurs  or  can  be 
supplied  to  the  system  respectively. 

Note  that  the  conditions  in  the  definitions  of  the  transition  function  <5,4#  are 
restrictions,  it  may  be  the  case  that  AR(qk,ao,qi)  is  not  fully  contained  in  one  set 
but  intersects  with  two  or  more  continuous-controllability  sets.  Thus,  a  particular 
arrival  set  may  not  be  related  by  a  transition  to  any  of  the  other  arrival  sets  in 
the  arrival  DES. 

Proposition  7.  Consider  a  time-invariant  hybrid  control  system.  If 

1.  the  associated  arrival  DES  ( AR ,  I7in  U  ECd)  8aR)AR1]0)  is  reachable; 

2. 


6  Q  x  X,  3  qi  e  Q,  a  e  Ein  U  SCd  such  that 
AR(qi,a,qf)  C  C  -  Conqf({xqfJ})-, 

in  words,  any  final  state  can  be  reached  from  any  state  in  an  arrival  set 
in  Xqf  associated  with  either  an  input  event  or  an  event  generated  by  the 
continuous  dynamics; 

then  the  hybrid  control  system  is  controllable. 

Proof  This  follows  from  Proposition  3  and  the  Definitions  4,  5,  and  6.  □ 

The  main  difficulty  in  the  application  of  the  above  result  is  to  determine  the 
controllability  sets.  The  control  system  at  a  particular  discrete  state  will  in 
general  be  nonlinear  and  may  have  a  geometrically  structured  input  space.  In 
specific  cases  the  controllability  set  can  be  approximated.  Note  that  because 
Proposition  7  only  describes  a  sufficient  condition  for  controllability  it  is  possible 
to  take  smaller  subsets  than  C  —  Conq(Gq(a))  and  C  —  Conq (D(qi,a,qj, Xqj ) ) 
in  the  definition  of  the  AR  system. 

As  remarked  above,  the  condition  imposed  in  Definition  6  is  restrictive  because 
the  complete  arrival  set  has  to  be  contained  in  either  the  controllability  set  of  a 
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guard  or  in  the  destination  set  of  an  input  event.  Below  a  different  approach  is 
described. 

Consider  the  finite  collection 


A  —  {A(qi,  k )  C  Xqi  ,k  —  1, . . . ,  Tiqi ,  £  Q}. 

Assume  that  there  exists  ado  =  A(qo,r)  £  A  such  that  xq0to  £  A(qo,r).  Define 
for  a  hybrid  control  system,  qi,qj  £  Q,  a  €  Ein  U  Ecd,  and  A  C  Xqj, 


DT(qi,a,qj,A) 


f  X9i  ^  Xqi  | 

\qj  =  6 ( qt , xqi , a)  and  , qj ,xqi,a)  £  A 


The  definition  of  the  set  DT  is  a  minor  extension  of  that  of  D.  Note  that  for 
<T  £  Ecdi 


c  U9j.  eQDT(qt,  ct,  qj ,  Xqj ). 

Define  the  generator 

(A,  Ein  LI  Ecd ,  8a  ,  Ao ) , 

A{qj,m)  =  8A(A(qi,k),a), 

if  A(qi,k)  CC  -  Conqi(DT{qi,cr,qj,A(qj,m))). 

The  generator  is  meaningful  because  the  subset  inclusion  allows  for  any  state  in 
the  set  A(qi,k )  the  existence  of  a  continuous  input  that  moves  the  state  of  the 
system  to  the  set  DT  from  which  an  event  will  transfer  the  system  to  a  state  in 
the  set  A(qj,m). 

Theorem  8.  Consider  a  time-invariant  hybrid  control  system.  If  there  exists  a 
collection  of  sets 

A  =  {A(qi,  k)  C  Xqi ,  k  €  Znqi  >Qi  £  Q}- 
such  that 


1.  for  all  qi,qj  €  Q  and  a  £  Ein  U  Ecd  there  holds 

AR{qi,cr,qj)  —  L}^^j^qi^tq^A[<qi,k\ 

for  an  index  set  I(qi,  a,  qj)  C  Znq. ; 

2.  the  generator  (A,  ( Ein  U  Ecci),8a,  Ao)  is  reachable; 

3.  for  any  ( qj,xgtj )  £  Q  x  Xqf  there  exists  a  set  A(qf,i )  £  A  and  for  any 
state  (qf,xgffi)  £  A(qf,i)  a  continuous  input  u  £  Uc  such  that  the  system  is 
transferred  from  state  ( qf,xq{fi )  €  Q  x  A(qf,i)  to  state  ( qf,xqfj )  without 
leaving  the  state  space  Xq/ ; 

then  the  hybrid  control  system  is  controllable. 
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The  proof  follows  along  the  lines  of  that  of  Proposition  3. 

A  dynamic  programming-like  procedure  can  be  formulated  for  the  construction 
of  the  collection  of  the  A  sets.  Suppose  specified  a  terminal  state  (qf,xqf)  £ 
Q  x  Xq/ .  Construct  successively  by  a  backward  recursion  the  collections  of  sets 
Aq,  Ax,  A2,  ...  as  follows.  Let 

A0  ( qf ,  r{qk ,  cr))  =  AR(qk  ,a,qi)nC-  Conqf  ({xq} }) , 

Wqk  e  Q,  aeEinu  scd, 

Ao(qi, r(qk, a))  =  AR(qk, a, qi),  if  qi  ^  qf,  Vqk£Q,  a  £  £in  Li  Ecd. 

For  k  =  0,  1,  . . .,  qi,qj  £  Q,  rk,  r2  £  Z+,  a  £  £in  U  £cd,  let 
Ak+ 1  (qi ,  (ri,r2,s,ax,a2,qj)) 

=  Ak(qi,rx)nAR(qs,ai,qi)r\C-Conqi(DT(qi,a2,qj,Ak(qj,r2))). 

The  range  of  ri  is  the  index  set  for  which  Ak(qt, .)  is  defined  and  similarly  the 
range  of  r2  is  associated  with  Ak(qj,.).  After  the  sets  Ak+x(qi,  (. . .))  have  all 
been  determined  they  should  be  relabeled  r  =  1,  2,  . . . ,  nr.  In  general  there  is 
no  condition  that  implies  that  the  procedure  will  terminate  after  a  finite  number 
of  steps.  However,  if  it  terminates  then  it  still  has  to  be  checked  whether  the 
conditions  of  Theorem  8  hold.  The  procedure  formulated  above  is  analogous  to 
but  different  from  a  procedure  formulated  in  [5]. 

The  sufficient  conditions  for  controllability  were  developed  with  a  particular 
hybrid  system  in  mind.  The  example  has  been  omitted  from  the  paper  because 
it  requires  a  large  amount  of  space  for  tables  and  notation.  The  reader  is  referred 
to  the  report  [13]  for  a  hybrid  system  of  a  model  of  conveyor  belts  and  to  [7]  for 
a  hybrid  system  of  a  model  of  a  chemical  plant. 

4  Conclusion 

Several  sufficient  conditions  for  controllability  of  hybrid  control  systems  have 
been  formulated  and  proven.  Further  research  is  required  to  test  the  usefulness 
of  the  conditions  on  examples. 
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Abstract.  In  this  paper,  we  consider  the  problem  verifying  hybrid  sys¬ 
tems  modelled  by  linear  hybrid  automata.  We  extend  the  traditional 
regular  expressions  with  time  constraints  and  use  them  as  a  language 
to  describe  the  behaviour  of  a  class  of  linear  hybrid  automata.  The  ex¬ 
tended  notation  is  called  Hybrid  Regular  Expression  (HRE).  Based  on 
linear  programming,  we  show  that  for  the  class  of  linear  hybrid  automata 
whose  behaviour  can  be  represented  by  HREs,  two  class  of  reachability 
problems  and  the  satisfaction  problem  for  linear  duration  invariants  are 
decidable. 


1  Introduction 

The  formalism  of  hybrid  automata  [1]  have  become  a  standard  model  for  real¬ 
time  and  hybrid  systems.  A  class  of  hybrid  systems  can  be  modelled  by  linear 
hybrid  automata.  Informally,  a  linear  hybrid  automaton  is  a  conventional  au¬ 
tomaton  extended  with  a  set  of  variables,  which  are  used  to  model  the  state  of 
the  continuous  component  of  hybrid  systems  and  are  assumed  to  be  piecewise 
linear  functions  of  time.  The  states  of  the  automaton  called  locations  are  as¬ 
signed  with  a  change  rate  for  each  variable,  such  as  x  =  w  (x  is  a  variable,  w  is  a 
real  number),  and  the  transitions  of  the  automaton  are  labelled  with  constraints 
on  the  variables  such  as  a  <  x  <  b  and  /or  with  reset  actions  such  as  x  :=  c 
( x  is  a  variable,  a,  b,  and  c  are  real  numbers).  Each  location  is  also  assigned 
with  an  invariant  condition  that  must  hold  when  the  system  resides  at  the  lo¬ 
cation.  The  automaton  starts  at  one  of  the  initial  locations  with  all  variables 
initialised  to  their  initial  values.  As  time  progresses,  the  values  of  all  variables 
change  continuously  according  to  the  rate  associated  with  the  current  location. 
At  any  time,  the  system  can  change  its  current  location  from  s  to  s'  provided 
that  there  is  a  transition  p  from  s  to  s'  whose  labelling  conditions  are  satisfied 
by  the  current  value  of  the  variables.  With  a  location  change  by  a  transition 
p,  all  the  variables  are  reset  to  the  new  value  accordingly  by  the  reset  actions 
labelled  on  p.  Transitions  are  assumed  to  be  instantaneous. 

*  This  work  is  supported  by  the  National  Natural  Science  Foundation  of  China  and 
International  Institute  for  Software  Technology,  The  United  Nations  University 
(UNU/IIST). 
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Let  us  consider  an  example  of  a  water-level  monitor  in  [2],  The  water  level 
in  a  tank  is  controlled  through  a  monitor,  which  continuously  senses  the  water 
level  and  turns  a  pump  on  and  off.  The  water  level  changes  as  a  piecewise-linear 
function  of  time.  When  the  pump  is  off,  the  water  level  falls  by  two  inches  per 
second;  when  the  pump  is  on,  the  water  level  rises  by  one  inch  per  second. 
Suppose  that  initially  the  water  level  is  one  inch  and  the  pump  is  on.  There  is 
a  delay  of  two  seconds  from  the  time  that  the  monitor  signals  to  change  the 
status  of  the  pump  to  the  time  that  the  change  becomes  effective.  The  system 
is  modelled  by  the  hybrid  automaton  depicted  in  Figure  1.  The  automaton  has 
four  locations.  In  the  locations  si  and  s 2,  the  pump  is  on;  in  the  locations  S3 
and  S4,  the  pump  is  off.  The  variable  y  is  used  to  model  the  water-level,  and  x  is 
used  to  specify  the  delays:  whenever  the  control  is  in  location  S2  or  S3,  the  value 
of  x  indicates  how  long  the  signal  to  switch  the  pump  off  or  on  has  been  sent. 


Fig.  1.  A  hybrid  automaton  modelling  a  water-level  monitor 


In  this  paper,  we  use  timed  sequences  to  express  the  behaviour  of  real-time 
and  hybrid  systems.  A  timed  sequence  (si,ti)~ (s2,t2)~  ■  •  •  ~(sm,tm)  represents 
a  behaviour  of  a  system  that  the  system  starts  at  the  state  si ,  stays  there  for  t\ 
time  units,  then  changes  to  S2  and  stays  in  s 2  for  t2  time  units,  and  so  on.  The 
values  ti ,  t2,  .  ■ . ,  tm  have  to  satisfy  some  time  constraints  enforced  by  the  system. 
For  example,  (si,9)"(s2,2)~(s4,3.5)~(s3,2)~(si,8)  expresses  a  behaviour  of  the 
hybrid  automaton  in  Fig.l. 

Since  the  number  of  timed  sequences  to  express  the  behaviour  of  a  system 
may  be  infinite,  we  have  to  find  a  notion  as  a  finite  representation  of  behaviour 
of  systems.  A  traditional  way  to  express  the  behaviour  of  an  automaton  is  to  use 
regular  expressions.  In  this  paper,  we  extend  the  traditional  regular  expressions 
with  time  constraints  and  use  them  as  a  language  to  describe  the  behaviour 
of  real-time  and  hybrid  systems.  The  extended  notation  will  be  called  Hybrid 
Regular  Expression  (HRE).  HREs  can  express  the  behaviour  of  a  class  of  linear 
hybrid  automata  .  We  show  that  for  the  class  of  linear  hybrid  automata  whose 
behaviour  can  be  expressed  by  HREs,  two  class  of  reachability  problems  and  the 
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satisfaction  problem  for  linear  duration  invariants  are  decidable. 

The  paper  is  organised  as  follows.  In  the  next  section,  we  introduce  the 
notion  of  Hybrid  Regular  Expression.  Section  3  shows  that  two  class  of  reacha¬ 
bility  problems  for  the  class  of  linear  hybrid  automata  whose  behaviour  can  be 
expressed  by  HREs  are  decidable.  The  satisfaction  problem  of  linear  druation 
invariants  for  this  class  of  linear  hybrid  automata  is  resolved  in  Section  4.  The 
last  section  is  the  conclusion  of  the  paper. 


2  Hybrid  Regular  Expressions 

While  a  regular  expression  over  a  set  of  states  (alphabet)  is  a  finite  representation 
of  a  (infinite)  set  of  sequences  of  states,  an  HRE  will  be  a  finite  representation 
of  a  set  of  timed  sequences  of  states. 

Let  V  be  a  finite  set,  R+  be  the  set  of  nonnegative  real  numbers.  Each  element 
of  V  is  called  a  location  or  state.  A  finite  sequence  (si,  ti)~(s2,  t2y  ■  ■  ■  "(sm,  tm) 
of  elements  in  V  x  R+  is  called  a  timed  sequence  over  V.  In  this  paper,  we  use  ~  to 
denote  the  concatenation  of  the  sequences.  The  occurrence  time  r(a)  of  a  timed 
sequence  a  =  (si,ti)~(s2,t2)~  •  •  ■  over  V  is  defined  by  r(cr)  =  U- 

A  timed  sequence  (si,ii)*(s2»<2)~ ...  ~(sm,tm)  represents  a  behaviour  of  a 
system  that  the  system  starts  at  the  state  si,  stays  there  for  t\  time  units, 
then  changes  to  s2  and  stays  in  s2  for  t2  time  units,  and  so  on.  The  values 
h,t2, . . .  ,tm  have  to  satisfy  some  time  constraints  enforced  by  the  system.  These 
time  constraints  must  be  incorporated  into  the  finite  representation  of  the  system 
behaviours.  By  incorporating  time  constraints  into  regular  expressions,  we  get 
Hybrid  Regular  Expressions. 

Definition  1.  An  HRE  TZ  and  the  language  C{  TZ)  represented  by  TZ  over  a 
finite  set  V  of  states  are  defined  recursively  as  follows: 

1.  e  is  an  HRE,  and  C(e)  =  {e}. 

2.  If  v  6  V,  then  v  is  an  HRE,  and  C{v)  =  {(v,t)  \  t  £  R+}. 

3.  If  72-1  and  1Z2  are  HREs,  then  TZ\  ~1Z2  is  an  HRE,  and 

C(1ZYR2)  =  {ai  "(72  |  <7i  6  C(TZi),  a2  6  C(1Z2)}  . 

4.  If  IZi  and  1Z2  are  HREs,  then  TZi  ©  1Z2  is  an  HRE,  and 

C(Ki  ©  U2)  =  C(Ki)  U  C{K2) . 

5.  If  7?.  is  an  HRE,  then  TV  is  an  HRE,  and 

m 

C{ TV)  =  {&Y  •  •  •  Vm  |  m  >  0  and  /\  (<7j  €  £(R))}  , 

i=  1 


where  cq  ~  . . .  ~am=e  when  m  =  0. 
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6.  If  72-1 , 7^2 ,  -  •  -  ,72m  be  HREs,  then 

((72i,  Ai)~(722,  A2)'  ■  •  ■  ~(Hm,Xm),A) 


is  an  HRE,  where  A  be  a  set  of  linear  inequalities  on  Ai,  A2, . . . ,  \m  of  the 
form  a  <  cqAi  +  C2A2  +  . . .  +  cm\m  <  b  (a,  b,  and  c»  (1  <  *  <  m)  are  real 
numbers)  and  for  any  Hi  (1  <  i  <  m)  in  which  there  is  an  occurrence  of  the 
combinator  *,  for  any  a  <  C1A1  +  C2A2  +  . . .  +  cm Xm  <  b  €  A,  if  c»  7^  0,  then 
any  cj  >  0  (1  <  j  <  m);  and 


mKi,XiV(K2,X2y..r{nm,xm),A))  = 

each  Oi  (1  <  i  <  m)  belongs  to  £(72j)  such  that 

m  m 

1  2  m  for  all  a  <  52  c*Ai  <b  6  A,  a  <  52  CiT(cri)  <  b 

t=l  i=l 


When  A  =  {a  <  52^i  A i  <  6},  (<72-i ,  Ai) "(7^2,  A2)" . . .  ‘(7£m,  Am>,  Zi)  is 
taken  to  be  . .  ■  "Hm,  [a,  b]).  □ 


Although  the  traditional  regular  expressions  are  powerful  enough  to  describe 
the  behaviour  of  finite  automata,  it  is  not  the  case  for  HREs  to  describe  the  be¬ 
haviour  of  all  linear  hybrid  automata.  Nevertheless,  HRE  is  simple  and  powerful 
enough  to  express  the  real-time  behaviour  of  many  real-time  hybrid  systems 
encountered  in  practice. 

For  example,  the  behaviour  of  the  linear  hybrid  automaton  (Fig.  1)  modelling 
the  water  level  monitor  in  the  introduction  can  be  represented  by  the  following 
HRE  Uw : 

Hw  =  e  ©  (si,  [0, 9])  ®  (si,  [9, 9])  («2)  [0, 2])  ©  Hi 
©72-2  72-3 A ((S3,  [0, 2])  ©  72-4  ©  H5  ©  72-6) 

where 

721  =  ((si,  Ai)~(s2,  A2)'"(s4,  A3),  {Ai  =  9,  A2  =  2,  2A3  —  A2  <  5}) 

722  =  ((si, Ai)"(s2, A2)'(s4, A3), {Ai  =  9,  A2  =  2,  2A3  —  A2  =  5}) 

723  =  ((S3,  Ai)*(si,  A2)'(S2,  A3)~(S4,  A4), 

{Ai  =2,  A2  —  2Ai  =5,  A3  =  2,  2A4  —  A3  =  5}) 

724  =  ((S3,  Ai)'(si,  A2),  {Ai  =2,  A2  —  2Ai  <  5}) 

725  =  ((s3,  Ai)"(si,  A2)*(s2,  A3),  {Ai  =  2,  A2  —  2Ai  =  5,  0  <  A3  <  2}) 

726  =  ((S3,  Ai)'(Si,  A2)"(S2,  A3)"(S4,  A4), 

{Ai  =  2,  A2  -  2Ai  =  5,  A3  =  2,  -5  <  A3  -  2A4}) . 

Since  HREs  form  a  very  simple  formalism  to  model  real-time  and  hybrid 
systems,  hopefully  many  problems  are  decidable  for  the  class  of  real-time  and 
hybrid  systems  defined  by  HREs.  In  next  two  sections,  we  show  that  for  the  class 
of  linear  hybrid  automata  whose  behaviour  can  be  represented  by  HREs,  two 
class  of  reachability  problems  and  the  satisfaction  problem  for  linear  duration 
invariants  are  decidable.  In  the  rest  of  this  section,  we  introduce  some  concepts 
concerning  HREs  that  will  be  used  in  next  two  sections. 

For  an  HRE  72,  if  £(72)  =  0,  then  72  is  said  to  be  empty. 
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Definition  2.  For  an  HRE  TZ,  its  sub-expressions  are  defined  recursively  by: 

1.  7?-  is  a  sub-expression  of  7 2. 

2.  If  72  =  TZ\'TZ2  or  TZ  =  TZ\  ©  722,  where  72i  and  7?, 2  are  HREs,  then  all  the 
sub-expressions  of  TZ\  and  IZ2  are  sub-expressions  of  72. 

3.  If  72  =  72*  or  7 2  =  (72i,[a,  &]),  where  1Z\  is  an  HRE,  then  all  the  sub¬ 
expressions  of  IZi  are  sub-expressions  of  72. 

4.  If  7 Z  —  ((IZi,  Ai)~(722,  A2)~  .  ..'(72m,Am),  A),  where  each  72*  (1  <  i  <  m)  is 

an  HRE,  then  all  the  sub-expressions  of  TZi  are  sub-expressions  of  1Z.  □ 

A  simple  HRE  is  an  HRE  in  which  there  is  no  occurrence  of  the  combinators 
*  (repetition)  and  ©  (union).  From  Definition  1,  any  simple  HRE  7 Z  can  be 
rewritten  as  a  simple  HRE  TZ'  of  the  form  ((tq,  Ai)~(iq,  A2)"  . . .  "(vm,  Am),  A) 
such  that  £(72)  =  £(72'),  where  for  each  i  (1  <  *  <  m),  Vi  £  V.  Therefore,  from 
now  on,  we  assume  that  any  simple  HRE  is  of  the  form 

((^1,  Ai)"(t>2,  A2)"  ...~(v  771  5  ^TTl)  5  A), 

where  A  is  a  finite  set  of  linear  inequalities  of  the  form  a  <  527=  1  C;A*  < 

For  any  simple  HRE  TZ  =  ((sq,  Ai)"(t>2,  A2)~ ...  ~(vm,\m),A),  let  Mr(TZ) 
(mr(72))  denote  the  supremum  (infimum)  of  the  set  (t(ct)  |  a  6  £(72.)}.  Mt(TZ) 
(mr( 72.))  can  be  calculated  by  finding  the  maximal  (minimal)  value  of  the  linear 
objective  function  Ax  +  A2  +  . . .  +  Am  subject  to  the  group  of  linear  inequalities 
in  A,  which  is  a  classical  linear  programming  problem.  If  mT( TZ)  —  0,  72.  is  said 
to  be  a  zero-simple  HRE;  otherwise  72  is  said  to  be  a  nonzero-simple  HRE. 

By  a  normal  form  we  mean  an  HRE  of  the  form  72i  ©  722  ©  ...  ©  72 m,  where 
TZjS  are  simple  HREs. 

Let  72  be  an  HRE,  and  TZi  be  a  sub-expression  of  72.  Replacing  an  occurrence 
of  72i  in  72  with  a  letter  X,  we  obtain  a  context  of  X.  Any  context  C(X)  of  X,  is 
associated  with  two  real  numbers  ip(C(X))  and  u>(C(X)),  which  specify  a  lower 
bound  and  a  upper  bound  of  the  constraints  on  the  occurrence  time  enforced  by 
the  context  on  the  variable  X.  If  the  context  does  not  enforce  any  time  constraint 
on  X  then  ip(C(X))  =  0  and  u(C(X))  =  00. 

Definitions.  A  context  C(X )  of  X,  <p(C(X))  and  u(C(X))  are  defined  recur¬ 
sively  as: 

1.  X  is  a  context  of  X,  and  <p(X)  =  0  and  uj(X)  =  00  (no  additional  constraint). 

2.  If  Ci(X)  is  a  context  of  X  and  72  is  an  HRE,  then  C(X)  =  C\{XyTZ  and 
C(X)  =  7Z~Ci(X)  are  contexts  of  X,  and 

<P(C(X))  =  <p{Ci{X)) ,  u>(C{X))  =  coicyx)) 

(no  additional  constraint). 

3.  If  Ci(X)  is  a  context  of  X  and  72  is  an  HRE,  then  C(X)  =  C\(X)  ©  72  and 
C(X)  —  TZ®  Ci(X)  are  contexts  of  X,  and 

<p(C(X))  =  rtcyx)) ,  0 >{C(X))  =  ut(Ci(X)) 

(no  additional  constraint). 
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4.  If  Ci(X)  is  a  context  of  X,  then  C(X)  =  Ci(X)*  is  a  context  of  X,  and 

v(C{X))  =  <p(Ci(X)) ,  lj(C(X))  =  wiC^X)) 

(no  additional  constraint). 

5.  If  Ci(X)  is  a  context  of  X  and  72-i , 72-2 >  •  •  • , TZrn  are  HREs,  then 

r(Y\—(  (^i)  Ai)~(7?.2,  A2)~  ■  ■■  ''('R'k-i,  Afe_i) 

{  *  {■'(c1(x),\ky{Kk+l,\k+1y..r(nm,\m),  J 

is  a  context  of  X  (1  <  k  <  m).  Let  a  be  the  maximal  value  of  the  set 
{a/ck  |  a  <  ciAi  +  c2A2  +  . . .  +  ckXk  +  . . .  +  cmAm  <  b  E  A  and  ck  ^  0}, 
and  b  be  the  maximal  value  of  the  linear  function  A*  subject  to  all  the  linear 
inequalities  in  A  respectively.  Then 

<p(C(X))  =  max(ip(Ci(X)),a) ,  uj(C(X))  =  min(uj(Ci(X)),  b) 

(additional  constraint  enforced  by  A).  □ 

For  any  context  C(X),  replacing  X  in  C(X)  with  an  HRE,  say  TZ,  we  obtain 
an  HRE,  denoted  by  C(TZ). 

3  Checking  Linear  Hybrid  Automata  for  Reachability 

The  reachability  problem  is  central  to  the  verification  of  hybrid  systems.  In 
general,  the  reachability  problem  for  linear  hybrid  systems  is  undecidable  [2,5,7]. 
But  the  following  two  class  of  reachability  problem  is  decidable  for  the  class  of 
linear  hybrid  automata  whose  hebaviour  can  be  expressed  by  HREs. 

The  one  is  a  typical  reachability  problem  studied  in  [5]:  Given  a  final  location 
s,  is  there  a  behaviour  of  the  automaton  terminating  at  location  s.  Suppose  1Z 
is  an  HRE  representing  the  behaviour  of  the  automaton  terminating  at  location 
s.  The  reachabiliy  problem  can  be  solved  by  checking  the  emptiness  of  1Z. 

The  other  is  called  time-bounded  reachability  problem  in  [6]:  Given  a  final 
location  s  and  a  time  interval  [a,  6],  is  there  a  behaviour  of  the  automaton  ter¬ 
minating  at  location  s  such  that  the  total  elapsed  time  of  the  behaviour  is  in 
the  time  interval  [a,  b}.  Let  TZ  is  an  HRE  representing  the  behaviour  of  the  au¬ 
tomaton  terminating  at  location  s.  The  reachabiliy  problem  is  equivalent  to  the 
problem  of  checking  the  emptiness  of  (TZ,  [a,  b]). 

In  the  following,  we  solve  the  problem  checking  the  emptiness  of  an  HRE. 
By  Definition  1  and  2,  it  is  not  difficult  to  prove  the  following  two  theorems. 

Theorem  1.  For  an  empty  HRE  TZ  and  for  an  HRE  TZ\, 

C(TZ~TZi)  =  C(TZyTZ)  =  <H, 

C(TZ®TZ1)  =  iC.(TZi®TZ)=£(TZ1), 

C(TZ*)  =  {s'},  and  £( TZ,  [o,  5])  =  0 . 

For  an  HRE  TZ  which  has  the  form  ((TZ%,  Ai)~(7£2,  A2)~ . . .  "(TZm,  \m),  A),  if  the 
group  of  inequalities  has  no  solution  or  there  is  TZi  (1  <  i  <  m)  such  that 
C(TZi)  =  0,  then  £( TZ)  =  0.  □ 
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Theorem  2.  Let  TZ  be  an  HRE  and  TZ\  be  a  sub-expression  of  TZ.  Let  TZ\  be 
an  HRE  such  that  C( TZ()  =  C{ TZ{).  Suppose  TZ!  is  constructed  from  replacing 
an  occurrence  of  TZ\  in  TZ  with  TZ(.  Then,  C{TZ)  =  C(TZ').  □ 

By  Theorem  1  and  2,  for  any  HRE  TZ,  we  can  find  out  an  HRE  TZ'  such  that 

•  C(TZ)  =  C(TV),  and 

•  TV  has  no  sub-expression  which  is  of  the  form 

((7^i,  Ai)'(7?.2,  A2)' . . .  ~(TZm,  Am),  A) . 

where  the  group  of  inequalities  in  A  has  no  solution. 

Hence,  for  simplicity,  from  now  on,  unless  otherwise  stated,  we  assume  that  all 
HREs  under  consideration  have  no  sub-expression  which  is  of  the  form 

((TZi,  Ai)~ (TZ2,  A2) A . . .  ~(TZm,  Xm),  A) 

where  the  group  of  inequalities  in  A  has  no  solution. 

First,  let  us  consider  the  problem  checking  if  a  simple  HRE  is  empty.  Let  TZ 
be  a  simple  HRE  TZ  =  ( (vi ,  Ai ) ' (v2 ,  X2 ) * . . . * (vm ,Xm),  A).  From  the  definition 
of  HREs,  every  a  €  C(TZ)  is  of  the  form  (vi,ti)*(v2,t2)" . .  X(vm,tm),  where 
ti,t2,  •  •  ■  ,tm  satisfy  the  group  of  linear  inequalities  represented  by  A.  Hence, 
the  problem  checking  the  emptiness  of  a  simple  HRE  can  be  solved  by  checking 
if  the  group  of  linear  inequalities  in  A  has  no  solution,  which  can  be  solved  by 
linear  programming. 

Let  Af  =  TZi  ©  TZ2  ©  - . .  ©  TZm  be  a  normal  form.  Hence,  each  TZi  (1  <i  <m) 
is  a  simple  HRE.  Since  C(Af)  =  0  /\™  x  C(TZi)  =  0,  the  problem  of  checking  if 

M  is  empty  can  be  solved  by  solving  m  linear  programming  problems  checking 
if  TZi  is  empty,  i  =  1, 2, . . . ,  m. 

Therefore,  for  a  general  HRE  TZ,  if  we  can  effectively  find  a  normal  form  Af 
such  that  C(JZ)  =  0  if  and  only  if  C(N)  =  0,  then  we  can  check  if  TZ  is  empty 
effectively. 

For  an  HRE  TZ,  we  attempt  to  find  a  normal  form  Af  such  that  C(JZ)  =  0  if 
and  only  if  C(Af)  =  0  by  the  following  procedure: 

Step  0.  Let  TV  TZ. 

Step  1.  For  TZ',  distributing  "  over  ©,  and  [0,6]  over  ©,  we  obtain  Q.  If  Q  is  a 
normal  form,  then  we  are  done. 

Step  2.  For  a  sub-expression  Qs  of  Q  which  is  of  the  form  Qs  =  Q\* ,  replacing 
an  occurrence  of  Qs  in  Q  with  X,  we  obtain  a  context  Cq(X)  such  that 
TZ'=  Cq(Qs). 

Step  3.  Finding  an  HRE  Q's  in  which  there  is  no  occurrence  of  combinator  * 
such  that  Cq(Qs)  =  0  if  and  only  if  Cq(Q's)  =  0.  Let  TV  :=  Cq(Q's),  and  go 
to  Step  1.  □ 

Obviously  the  procedure  is  correct.  The  problem  is  how  to  find  Q's  in  Step 
3.  The  following  lemmas  and  theorems  will  help  to  solve  that  problem. 
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Let  C(X)  be  a  context.  For  a  real  number  x,  let  [a:J  denote  the  floor  of  x. 
For  an  HRE  TZ,  let  TV  denote  the  j-repetition  of  TZ 

TV  =  TVTV  ..VTZ ,TZ°  =  e. 

' - v - ' 

j 

Lemma  1.  Let  TZ  and  TV  be  HREs.  If  for  any  er  E  £(Tl),  there  is  o’  E  C{TZ’) 
such  that  t(<t)  =  r(cr'),  then  £(£( TV))  =  0  implies  £{C{TZ))  =  0.  □ 

Lemma  2.  Suoopse  uj(C(X))  =  oo,  and  TZ  be  a  nonzero-simple  HRE  TZ.  Then 
for  any  real  number  a,  for  any  o  E  C(C(TZ*))  such  that  t(o)  >  a ,  there  is  o'  E 
£(C(©?_ qTZ*))  such  that  r(cr')  >  a,  where  p  =  ([max^Cpf),  a)/mT{TZ)\  +  1) . 

□ 

Lemma  3.  Let  TZ  be  a  nonzero-simple  HRE.  Then  £(C(©?=0 TZ^))  D  C(C(TZ*)), 
where  p  =  [cj(C(X))/mT(TZ)\  +  1  .  □ 

These  lemmas  can  be  proved  by  induction  on  the  structure  of  context.  Their 
detailed  proofs  are  omitted  because  of  space  considerations.  From  these  lemmas, 
we  can  prove  the  following  theorems. 

Theorem  3.  Let  TZ\  and  TZ-2  be  HREs.  Then 

c(C((TZi  © TZ2)*))  —  0  iff  cic^Tzvyyzs)))  -0. 

Proof.  By  Definition  1,  C{{TZi*)~ {JZ2*))  C  £(( TZi  ©  TZ-z)*)-  From  Lemma  1,  the 
half  of  the  claim  follows,  i.e. 

C(C({TZ\  ©  ^2)*))  =  0  implies  £(C((7liT(ft2*)))  =  0  • 

The  other  half  can  be  proved  as  follows.  Since  any  0  E  C{C((TZ\  ©  TZ2)*)  can  be 
permuted  into  o'  E  £(C(( TZ\*)~ (TZ?*))) ,  from  lemma  1,  the  result  follows.  □ 

Theorem  4.  Let  TZ  =  ((«i,  Ai)'(u2,  A2)~ . . .  ~(vm,  A),  A)  be  a  zero-simple  HRE. 
Let  A'  be  the  set 

m  m 

{0  <  CiX  |  0  <  ^  ctAi  <  b  E  A  A  3j  ■  (1  <  j  <  m  A  Cj  <  0)}  , 

i— 1  i=  1 

and  TZ'  =  ((vi,  Ai)"(u2,  A2)' . . .  ~{vm,\),A').  Then 

£(C( TZ*))  =  Q  iff  C{C{TZ'))  =  0. 

Proof.  Before  the  proof,  we  should  note  that  by  the  definition  of  zero-simple 
HREs,  t( TZ)  =  0  implies  that  for  any  inequality  a  <  C1A1  +  c2A2  + . . .  +  cmAm  <  b 
in  A,  a  <  0  and  b  >  0. 

The  half  of  the  claim  that  C(C(TZ'))  =  0  implies  £(C(TZ*))  =  0,  is  explained 
as  follows.  By  Definition  1,  any  o  E  £(TZ*)  is  of  the  form  o\  "o?" . . .  Vn,  where 


o i  —  (iq ,  1)  (u2,  t^2)  . . .  (vm,  tijVj  E  £(TZ )  {%  —  1,2,...,  72.) . 
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For  any  j  (1  <  j  <  m),  let  f'-  =  t\j  +  t2j  + .. .+  tnj,  and  let 
ct'  =  (vut'iy  (v2)t'2)\.r(vTn,t'm) . 

Since  for  any  i  (1  <  i  <  n),  tn,ta, . . .  ,tim  satisfy  A,  ti,t2, . . .  ,t'm  satisfy  A'  as 
well.  It  follows  that  a'  £  £(TZ').  Since  t(<j)  =  r(cr'),  the  first  half  of  the  claim 
follows  from  Lemma  1. 

The  other  half  of  the  claim,  i.e.  £{C{TZ*))  =  0  implies  £(C( TZ'))  =  0,  can 
be  proved  as  follows.  For  any  a'  —  (vi,ti)~(v2,t2y ...  '(vm,tm)  £  £(TZ’) ,  since 
ti,t2,  ■ .  ■  ,tm  satisfy  A1,  for  any  0  <  i  ci^i  <  b  £  A,  we  have  c^i  ^  0- 
Because  for  each  inequality  a  <  ciAi  +  c2\2  +  •  ■  ■  +  cmAm  <  b  in  A,  a  <  0  and 
b  >  0,  and  because  A  is  a  finite  set,  we  can  choose  a  natural  number  p  such  that 
for  any  inequality  a  <  CiAi  +  C2A2  +  . . .  +  cm\m  <b  £  A, 

c±ti  +  c2t2  +  . . .  + 

C-rnXm  *  , 

a  <  — - —  <  b. 

p 

For  each  i  (1  <  i  <  m),  let  bt  =  ti/p,  and  let  Ob  =  (vi,bi)~(v2,b2)~ . . .  ~(vm,  bm). 
Obviously,  cr  £  C(1Z).  Let 


a  =  (Tb  &b  ■■  ■  &b  ■ 

" - v - ' 

p 

It  follows  that  a  £  C{1Z*).  Since  r(<r)  =  t(ct'),  by  Lemma  1,  £(C( TZ*))  =  0 
implies  £(C(JV))  =  0.  □ 

Theorem  5.  Suppose  u>(C{X))  =  00,  and  TZ  be  a  nonzero-simple  HRE.  Then 

£(C(TZ*))  =  0  iff  £(C(®pj=oni))  =  0, 

where  p  =  {\}p(C(X))  /  mT{TZ)\  +  1). 

Proof.  By  Definition  1,  £{1Z*)  D  £{(BP=0VJ)  holds,  which  by  Lemma  1  implies 
a  half  of  the  claim,  i.e.  £(C(TZ*))  =  0  implies  £{C{®p=yRP))  =  0.  The  other  half 
is  straightforward  from  Lemma  2.  □ 

Theorem  6.  Suppose  u>(C(X))  ^  00,  and  TZ  be  a  nonzero-simple  HRE.  Then 

£{C{TZ*))  =  0  iff  £{C{®pj=0W))  =  0 , 

where  p  =  ([w(C(X))/mr( TZ)\  +  1). 

Proof.  By  Definition  1,  £(TZ*)  D  £(®P=0W)  holds,  which  by  Lemma  1  implies 
a  half  of  the  claim,  i.e.  £(C(TZ*))  =  0  implies  £{C{®P-.0W))  =  0.  The  other  half 
is  straightforward  from  Lemma  3.  □ 

Based  on  the  above  theorems,  the  algorithm  to  check  an  HRE  TZ  for  emptiness 
is  now  described  as  follows. 


Step  0.  Let  TZ'  :=  TZ. 
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Step  1.  For  H' ,  distributing  *  over  ©,  and  [a,  6]  over  ffi,  we  obtain  Q. 

Step  2.  Finding  a  sub-expression  Qs  of  Q  which  has  one  of  the  following  three 
forms: 

1.  Qs  =  (Tli  ©  U2  ©  • .  •  ©  TZk)*  (k  >  2),  where  every  Hi  (1  <  i  <  m)  is  a 
simple  HRE. 

2.  Qs  =  HI,  where  Hi  is  a  nonzero-simple  HRE. 

3.  Qs  =  HI,  where  Hi  is  a  zero-simple  HRE. 

If  such  Qs  could  not  be  found,  goto  Step  6  (note  that  it  is  not  difficult  to 
prove  that  if  we  can  not  find  out  such  a  Qs,  then  Q  is  a  normal  form); 
otherwise  replacing  the  occurrence  of  Qs  in  Q  with  X,  we  get  a  context 
Cq(X)  such  that  Q  =  Cq(Qs)-  Then,  if  Qs  has  the  first  form,  goto  Step  3; 
if  Qs  has  the  second  form,  goto  Step  4;  if  Qs  has  the  third  form,  goto  Step 
5. 

Step  3.  By  Theorem  3,  we  transform  Q  into  Q'  =  Cq((Hi)*  '  (^2)* "  ■  ■  ■  (Hrn)*). 
Then,  let  H1  :=  Q! ,  and  goto  Step  1. 

Step  4 ■  We  first  calculate  u>(Cq(X)).  If  u(Cq(X))  ^  00,  then  by  Theorem  6,  we 
transform  Q  into  Q!  =  Cq(®^=0H{),  where  p  —  ([u(Cq(X)) /mT(Hi)\  +  1). 
Let  H!  :=  Q! ,  and  goto  Step  1. 

Otherwise,  lj(Cq(X))  =  00.  By  Theorem  5,  we  transform  Q  into  Q1  = 
Cq(®%0H{),  where  p  =  (L<^(Cg(X))/mr(^i)J  +  1).  Let  H1  :=  Q1,  and 
goto  Step  1. 

Step  5.  By  Theorem  4,  we  transform  Q  into  Q1  =  Cq  (H\ ) ,  where  H\  is  the 
simple  HRE  defined  from  H%  in  Theorem  4.  Let  H!  :=  Q! ,  and  goto  Step  1. 
Step  6.  Since  Q  is  a  normal  form  now,  we  check  the  emptiness  of  Q  by  linear 
programming.  If  Q  is  empty,  then  H  is  empty;  otherwise  H  is  not  empty. 

□ 

4  Checking  Linear  Hybrid  Automata  for  Linear  Duration 
Invariants 

In  this  section,  the  problem  we  are  concerned  can  be  described  as  follows:  Given 
a  hybrid  automaton  A,  given  a  linear  duration  invariant  V,  decide  efficiently 
whether  A  satisfy  V. 


4.1  Linear  Duration  Invariants 

Linear  duration  invariants  [4]  are  constructed  from  linear  inequalities  of  inte¬ 
grated  durations  of  system  states.  They  form  an  important  class  of  Duration 
Calculus  (DC)  [3]  formulas.  In  DC,  states  are  modelled  as  Boolean  functions 
from  reals  (representing  continuous  time)  to  {0, 1},  where  1  denotes  state  pres¬ 
ence,  and  0  denotes  state  absence.  For  a  state  S,  the  interval  variable  f  S  of 
DC  is  a  function  from  bounded  and  closed  intervals  to  reals  which  stands  for 
the  accumulated  presence  time  (duration)  of  state  S  over  the  intervals,  and  is 
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defined  formally  by  f  S[a,  b}=  fbaS(t)dt,  where  [a,  6]  ( b  >  a)  is  a  bounded  interval 
of  time.  A  linear  duration  invariant  V  in  DC  is  of  the  form 

T  >  f  l  >  t  =$■  A  ( E  cij  I  Si  <  Mj ) , 

3=1  i=l 

where  T,  t,  c^,  Mj  are  real  numbers  ( T  may  be  oo). 

The  meaning  of  a  linear  duration  invariant  V  is  that:  if  the  system  is  observed 
for  an  interval  of  time  satisfying  the  premise  of  V,  then  the  duration  of  the 
system  states  must  satisfy  the  consequence  of  V.  It  turns  out  that  many  real¬ 
time  properties  can  be  written  as  a  linear  duration  invariant. 

For  example,  the  requirement  of  the  water-level  monitor  in  Fig.l,  which  is 
that  the  monitor  must  keeps  the  water  level  in  between  1  and  12  inches,  can  be 
expressed  by  linear  duration  invariants  as  well.  We  know  that  when  the  control  is 
in  locations  si  or  s 2,  the  water  level  rises  1  inch  per  second,  and  when  the  control 
is  in  locations  S3  or  s 4,  the  water  level  falls  by  2  inch  per  second.  Furthermore, 
for  an  interval  [0,  t],  the  accumulated  time  that  the  system  stays  in  si  or  S2 
is  f  si  +  f  s 2,  and  the  accumulated  time  that  the  system  stays  in  s 3  or  s 4  is 
f  S3  +  f  S4.  Therefore,  the  water  level  at  time  t,  given  that  at  the  beginning  the 
water  level  is  one  inch,  is  1  +  J  Si  +f  s2  —  2 (/  S3  +  /  S4).  Hence,  the  requirement 
for  the  water-level  monitor  can  be  described  by  the  following  linear  duration 
invariants 

0<fl<oo=>l  +  fsi+fs2  —  2  (J  S3  +  f  s  4)  <  12 ; 

0  <  /  1  <  00  =»  1  +  f  si  +  /  s2  -  2(J  S3  +  /  s4)  >  1 . 

For  a  location  v  €  V,  for  a  predicate  S  over  V,  let  v  =>  S  denote  that  S  holds 

during  the  system  stays  at  v.  A  timed  sequence  cr  =  (vi,ti)~(v2,t2)''  ■  ■  ■  ~(vm,tm) 

over  V  satisfies  a  linear  duration  invariant  V  iff  Aj=i  (X^Li  cb  (Sugai  *«)  ^  Mj) 
when  T  >  1  A  where  ai={u  |  (1  <  u  <  m)  A  (vu  5,)}-  A  hybrid 

automaton  satisfies  a  linear  duration  invariant  if  and  only  if  every  behaviour 
of  the  automaton  satisfies  the  linear  duration  invariant.  An  HRE  7 Z  satisfies  a 
linear  duration  invariant  V ,  denoted  by  1Z  |=  V,  iff  any  timed  sequences  a  €  jC(TZ) 
satisfies  V. 


4.2  Checking  HREs  for  Linear  Duration  Invariants 

Now,  we  consider  the  problem  checking  an  HRE  71  for  linear  duration  invariant 
V.  Without  loss  of  generality,  throughout  this  section,  let  V  be 

t<fl<T=>  £  a/Si  <  M , 

i=l 

and  for  any  a  =  (wi ,  ti)''(w2,  ^2)"  •  •  •  ~(vm,tm)  6  C(7Z),  let  6 (a,  V)  be  the  value 
of  EILi  Ci  f  Si  evaluated  over  a, 

0(v,V)  =  E  Ci(  E  *«)> 

i=l  uEa; 
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where  a*  =  {u  |  (1  <  u  <  m)  A  (vu  =>  Si)}. 

For  simplicity,  we  assume  that  all  HREs  under  consideration  are  not  empty 
and  do  not  have  any  empty  sub-expression. 

For  any  nonzero-simple  HRE  TZ  =  ((vi,Xi)’'(v2,X2)" . . .  "(vrn,  Xrn),A),  let 
Me(TZ)  denote  the  supremum  of  the  set  {9(cr,V)\a  €  £(TZ)}.  Mt(TZ),  Mq(TZ) 
can  be  calculated  effectively  by  finding  the  maximal  value  of  the  linear  objective 
function  ]TT_j  Cj(]T)u€Q.  A„)  subject  to  the  group  of  linear  inequalities  in  A. 

Let  TZ  be  a  simple  HRE  TZ  =  ((vi,Xi)~(v2,X2)'' ...  ~(vm,X m),A).  From  the 
definition  of  HREs,  every  a  G  £{TZ)  is  of  the  form 


(v1,t1y(v2,t2)~  . .  .  (v7 n )  tm )  > 

where  ti,t2, . . .  ,tm  satisfy  the  group  of  linear  inequalities  represented  by  A. 
Denoting  this  group  of  linear  inequalities  by  C\ ,  the  problem  of  checking  1Z  |=  V 
is  then  equivalent  to  the  problem  of  finding  the  maximum  value  of  the  linear 
function  X]”=i  cijd2uea- *u)  subject  to  the  linear  constraints  C\  and  C2  and 
checking  whether  it  is  not  greater  than  Mj  for  all  j  =  1, ... ,  k,  where  C2  denotes 
the  inequality 

t  <  ti  + 12  +  .  •  •  +  tm  <  T . 

The  latters  are  linear  programming  problems. 

Let  J\f  =  IZi  ®  1Z2  © . . .  ©  lZm  be  a  normal  form.  Hence,  each  TZi  (1  <  i  <  m) 
is  a  simple  HRE.  Since,  by  Definition  3, 

m 

A  TZi  \=D, 

i= 1 

the  problem  of  checking  N  for  V  can  be  solved  by  solving  m  linear  programming 
problems  1Zi\=V,  i  =  1, 2, . . . ,  m. 

Therefore,  for  a  general  HRE  1Z,  for  a  linear  duration  invariant  V,  if  we  can 
effectively  find  a  normal  form  N  such  that  TZ  \=  T>  if  and  only  if  Af  V,  then 
we  can  check  1Z  f=  V  effectively. 

for  an  HRE  7 Z  and  a  linear  duration  invariant  V,  we  attempt  to  find  a  normal 
form  U  such  that  C(JZ)  (=  V  if  and  only  if  C{M)  (=  T>  by  the  following  procedure: 

Step  0.  Let  7 Z'  :=  TZ. 

Step  1.  For  TZ',  distributing  ~  over  ©,  and  [a,  6]  over  ©,  we  obtain  Q.  If  Q  is  a 
normal  form,  then  we  are  done. 

Step  2.  For  a  sub-expression  Qs  of  Q  which  is  of  the  form  Qs  =  Qi*,  replacing 
an  occurrence  of  Qs  in  Q  with  X,  we  obtain  a  context  Cq(X )  such  that 
TZ'  =  Cq(Qs). 

Step  3.  Finding  an  HRE  Q's  in  which  there  is  no  occurrence  of  combinator  * 
such  that  Cg(Qs)  \=  V  if  and  only  if  Cq(Q's)  |=  V.  Let  TZ'  :=  Cq(Q's),  and 
go  to  Step  1.  □ 

Obviously  the  procedure  is  correct.  The  problem  is  how  to  find  Q's  in  Step 
3.  The  following  lemmas  and  theorems  will  help  to  solve  that  problem. 

Let  C(X)  be  a  context. 
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Lemma  4.  Let  TZ  and  TV  be  HREs.  If  for  any  a  G  C(7Z),  there  is  a'  G  CiJV) 
such  that  r(cr)  =  t(ct')  and  9{a,V)  <  9{a',T>),  then  C( TV)  |=  2?  implies 

ciji)  \=v.  a 

Lemma  5.  Suppose  u(C(X))  =  oo,  and  TZ  be  a  nonzero-simple  HRE  TZ  such 
that  Me(TV)  <  0.  Then  for  any  real  number  Nt,  for  any  a  €  C(C{TZ*))  such  that 
r(<7 )  >  Nt,  there  is  a1  G  C(C((B^=0TZi)  such  that 

r(<r')  >  Nt  and  9(a,T>)  <  9(a' ,T>)  , 

where  p  =  ([ h/mT(TZ)\  +  1),  and  h  =  max(<p{C(X),Nt).  □ 

Lemma  6.  Suppose  u(C(X))  =  oo,  and  TZ  be  a  nonzero-simple  HRE  such  that 
Mg  {TV)  >  0.  Then  for  any  nonnegative  real  numbers  Nt  and  Mr ,  there  is 
<t  G  C{C{ TZ*))  such  that  r(cr)  >  Nt  and  9{a,V)  >  Mr  .  □ 

Lemma  7.  Suppose  Kbea  nonzero-simple  HRE,  and  Nt  be  a  nonnegative  real 
number.  Then  for  any  a  G  C(C( TZ*)),  r(a)  <  Nt  implies  a  G  £(C(©^_0 TZj)), 
where  p  =  [ Nt/mT(TZ)\  +  1 .  □ 

Lemma  8.  Let  TZ  be  a  nonzero-simple  HRE.  Then  £(C(®J=0 TZ*))  D  C{C{TZ*)), 
where  p  =  [ u>(C(X))/mT(TZ)}  +  1  .  □ 

These  lemmas  can  be  proved  by  induction  on  the  structure  of  context.  Their 
detailed  proofs  are  omitted  because  of  space  consideration.  Prom  these  lemmas, 
we  can  prove  the  following  theorems. 

Theorem  7.  Let  TZi  and  TZ2  be  HREs.  Then 

^  C{{TZi*Y{TZ2*))  \=V. 

Proof.  By  Definition  1,  C{{TZi*Y {TZ2*))  Q  C{{TZ\  ©  TZ2)*)-  Prom  Lemma  4,  the 
half  of  the  claim  follows,  i.e.  C{{TZ  1  ©  TI2)*)  |=  V  implies  C({TZi*)~  (TI2*))  \=  V. 
The  other  half  can  be  proved  as  follows.  For  any  cr\  G  C{TZi)  and  a2  G  CJZ2), 
since  r{ai  ~ 02 )  =  t(ct  1)  +  r(<T2)  and  6{ai  "(72,2?)  =  6(cr \,V)  +  0((72,2?),  we  have 
t(<j  1  "(72)  =  t((72 "cr x )  and  #((7i"c72,2?)  =  9{(J2 "(7i , 2?).  Therefore,  any 

a  G  C(C{{7Zi  ®7?-2)*)  can  be  permuted  into  <7'  G  C{C{{TZi*Y {TZ2*)))-  Hence, 
from  Lemma  4,  the  result  follows.  □ 

Theorem  8.  Let  TZ  —  ((ni,  Ai)"(n2,  A2)"  . . .  ~(vm,  A),  A)  be  a  zero-simple  HRE. 
Let  A'  be  the  set 

771  771 

{0<  £  CiXi  |  0  <  £  ciXi  <  b  G  A  A  3j  ■  (1  <  j  <  m  A  Cj  <  0)} , 


and  TV  =  ((u!,  Ax)"(u2,  A2)" . . .  ~{vm,  A),  A').  Then  C(7Z*)  [=  V  iff  C(TZ')  |=  2?. 
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Proof.  Before  the  proof,  we  should  note  that  by  the  definition  of  zero-simple 
HREs,  t(H)  =  Oimplies  that  for  any  inequality  a  <  ciAi  +  C2A2  +  ...+cmAm  <b 
in  A,  a  <  0  and  b  >  0. 

The  half  of  the  claim  that  C(1Z')  (=  V  implies  C( %*)  |=  V,  is  explained  as 
follows.  By  Definition  1,  any  a  €  C(H*)  is  of  the  form  <7i  '  a2'  ■  ■  ■  On>  where 

(7j  =  (uj ,  til )  (^2,  t»2 )  ■  •  ■  ( Vmi  tim)  £  ^(•'4-)  1,  2, . . . ,  Tl)  . 

For  any  j  (1  <  j  <  m),  let  f'  =  +  t2j  +  ■  ■  ■  +  tnj,  and  let 

a' —  {viit'y)  ...  (vm,tm) . 

Since  for  any  i  (1  <  i  <  n),  tn ,  ti2, . . . ,  tim  satisfy  A,  t[ ,  t'2, . . . ,  t'm  satisfy  A'  as 
well.  It  follows  that  <x'  €  C( TV).  Since  0(a,T>)  =  9((j',T>)  and  r(a)  =  r(a'),  the 
first  half  of  the  claim  follows  from  Lemma  4. 

The  other  half  of  the  claim,  i.e.  C( 71*)  |=  T>  implies  C(Ti')  (=  V,  can  be 
proved  as  follows.  For  any  a1  =  (vi,ti)'(v2,t2)''  •  •  -  €  C(H'),  since 

ti,  *2,  •  ■  •  >  tm  satisfy  A',  for  any  0  <  Y™=  x  CjAj  <b  e  A,  we  have  Y^i=i  c,tj  >  0. 
Because  for  each  inequality  a  <  C1A1  4-  C2A2  +  . . .  +  cmAm  <  b  in  A,  a  <  0  and 
b  >  0,  and  because  A  is  a  finite  set,  we  can  choose  a  natural  number  p  such  that 
for  any  inequality  a  <  C1A1  +  C2A2  +  . . .  +  cmAm  <b€  A, 

C\ti  +  C2t2  +  •  •  •  +  Cmtm  ^  , 

a  < - -  <  0 . 

P 

For  each  *  (1  <  i  <  m),  let  =  ti/p,  and  let  cq,  =  (wj,  bi)~(v2,  b2)~  •  •  •  ”(%i  bm). 
Obviously,  a  £  C(H).  Let 

(J  =  (7b  (J b  •••  O'b  • 


It  follows  that  <T  €  C(ll*).  Since  6(u,V)  =  9(a',V)  and  r(a)  =  r(cr'),  by 
Lemma  4,  C(H*)  \=  V  implies  C( TV)  \=  V.  □ 

Theorem  9.  Suppose  u(C(X))  =  00,  T  =  00,  and  U  be  a  nonzero-simple  HRE 
such  that  Mg  (TV)  >  0.  Then  C(H*)  ^  V  . 

Proof.  The  theorem  follows  immediately  from  Lemma  6.  □ 

Theorem  10.  Suppose  w(C(X))  =  00,  T  =  00,  and  U  be  a  nonzero-simple 
HRE  such  that  Me(R)  <  0.  Then  C( TV)  1=  V  iff  C(®pj=0W)  (=  V,  where 
p  =  ([h/mT(H)\  +  l),h  =  ma x((p(C(X),t). 

Proof.  By  Definition  1,  C(U*)  D  £(©?=0 IV)  holds,  which  by  Lemma  4  implies 
a  half  of  the  claim,  i.e.  C(H*)  (=  D  implies  C(®J=07^J)  (=  V.  The  other  half  is 
straightforward  from  Lemma  5.  □ 

Theorem  11.  Suppose  u(C(X))  /  00  or  T  ^  00,  and  U  be  a  nonzero-simple 
HRE.  Then  C(H*)  (=  P  iff  C(©?=07^)  |=  V,  where  p  =  ([h/mT(ll)\  +  1), 
h  =  min(u(C(X),T). 
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Proof.  One  half  of  the  claim,  i.e.  C(1Z*)  (=  V  implies  C(®?_ 0W)  j=  V  is  exactly 
the  same  as  the  proof  of  Theorem  10.  The  other  half  of  the  claim  is  a  direct 
consequence  of  Lemmas  7  and  8.  □ 

Based  on  the  above  theorems,  the  algorithm  to  check  an  HRE  TZ  for  a  linear 
duration  invariant  V  is  now  described  as  follows. 

Step  0.  Let  TV  :=TZ. 

Step  1.  For  7 V,  distributing  '  over  ©,  and  [a,b]  over  ®,  we  obtain  Q. 

Step  2.  Finding  a  sub-expression  Qs  of  Q  which  has  one  of  the  following  three 
forms: 

1.  Qs  =  (TZi  ©  TZ-2  ©  ■  •  ■  ffi  TZk)*  (k  >  2),  where  every  TZi  (1  <  i  <  m)  is  a 
simple  HRE. 

2.  Qs  =  TZI,  where  IZi  is  a  nonzero-simple  HRE. 

3.  Qs  =  TZi,  where  TZi  is  a  zero-simple  HRE. 

If  such  Qs  could  not  be  found,  goto  Step  6  (note  that  it  is  not  difficult  to 
prove  that  if  we  can  not  find  out  such  a  Qs,  then  Q  is  a  normal  form); 
otherwise  replacing  the  occurrence  of  Qs  in  Q  with  X,  we  get  a  context 
Cq(X )  such  that  Q  —  Cq(Qs )•  Then,  if  Qs  has  the  first  form,  goto  Step  3; 
if  Qs  has  second  form,  goto  Step  4;  if  Qs  has  the  third  form,  goto  Step  5. 
Step  3.  By  Theorem  7,  we  transform  Q  into  Q'  —  Cq(('JZ\)*~ (TZ?)*" . . .  ~(TZm)*). 
Thus,  let  TZ1  :=  Q' ,  and  goto  Step  1. 

Step  4 ■  We  first  calculate  u(Cq(X))  and  Mg(TZi).  If  w(Cq(X))  ^  oo  or  T  ^  oo, 
then  by  Theorem  11,  we  transform  Q  into  Q1  —  Cq{®^=0TZ{),  where 
P  =  (Ul/mT(TZi)\  +  1),  and  h  =  min (u(Cq(X),T).  Therefore,  let  TV  :=  Q! , 
and  goto  Step  1. 

Otherwise,  lj(Cq(X ))  =  oo  and  T  =  oo.  If  Mg  (TZi  )  >  0,  then  by  Theo¬ 
rem  9,  we  conclude  Cq(TZ\)  ^  V  and  exit.  Otherwise,  by  Theorem  10,  we 
transform  Q  into  Q’  —  Cq((B?=01Z{),  where  p  =  ([h/mT(TZi)\  +  1),  and 
h  =  max(<^(CQ(X),  t).  Let  TV  :=  Q! ,  and  goto  Step  1. 

Step  5.  By  Theorem  8,  we  transform  Q  into  Q!  =  Cq(TZ'{),  where  TZ[  is  the 
simple  HRE  defined  from  TZi  in  Theorem  2.  Let  TV  :=  Q' ,  and  goto  Step  1. 
Step  6.  Since  Q  is  a  normal  form  now,  we  check  Q  \=  V  by  linear  programming. 
If  Q  |=  27,  then  TZ\^V;  otherwise  7 Z\£V. 

□ 


5  Conclusion 

In  this  paper,  we  introduce  Hybrid  Regular  Expression  to  define  a  class  of  linear 
hybrid  automata  for  which  two  class  of  reachability  problems  and  the  satisfaction 
problem  for  linear  duration  invariants  are  decidable.  We  use  linear  programming 
techniques  for  checking  this  class  of  linear  hybrid  automata.  The  idea  comes  from 
[4]  in  which  the  satisfaction  problem  of  linear  duration  invariants  for  a  simple 
class  of  real-time  automata  is  solved  by  linear  programming  techniques,  which 
is  well  established.  In  [5]  the  problem  for  timed  automata  has  been  solved  by 
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mixed  integer /linear  programming  techniques.  Because  of  the  advantages  of  the 
approach  of  [4]  in  comparison  to  the  others,  in  [9]  we  have  generalised  it  to  a 
subclass  of  timed  automata.  In  [10],  by  developing  the  techniques  in  [4,9],  we 
show  that  by  linear  programming  technique  the  problem  can  be  solved  totally 
for  a  class  of  linear  hybrid  automata.  In  this  paper,  we  use  similar  techniques 
to  define  a  larger  decidable  class  of  linear  hybrid  automata  which  includes  the 
class  of  linear  hybrid  automata  defined  in  [10]. 

We  note  the  work  in  [8]  in  which  timed  regular  expression  of  the  same  expres¬ 
sive  power  as  timed  automata  is  introduced.  We  are  inspired  by  it  and  attempt 
to  extend  Hybrid  Regular  Expression  such  that  it  has  the  same  expressive  power 
as  linear  hybrid  automata  in  the  future. 
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Abstract.  We  present  a  framework  for  designing  stable  control  schemes 
for  systems  whose  dynamic  equations  change  as  they  evolve  on  the  state 
space.  It  is  usually  difficult  or  even  impossible  to  design  a  single  controller 
that  would  stabilize  such  a  system.  An  appealing  alternative  are  switch¬ 
ing  control  schemes,  where  a  different  controller  is  employed  on  each  of 
the  regions  defined  by  different  dynamic  characteristics  and  the  stability 
of  the  overall  system  is  ensured  through  appropriate  switching  scheme. 
We  derive  sufficient  conditions  for  the  stability  of  a  switching  control 
scheme  in  a  form  that  can  be  used  for  controller  design.  An  important 
feature  of  the  proposed  framework  is  that  although  the  overall  hierarchy 
can  be  very  complicated,  the  stability  depends  only  on  the  immediate 
relation  of  each  controller  to  its  neighbors.  This  makes  the  application  of 
our  results  particularly  straight  forward.  The  methodology  is  applied  to 
stabilization  of  a  shimmying  wheel,  where  changes  in  the  dynamics  are 
due  to  switches  between  sliding  and  rolling. 


1  Introduction 

The  design  of  controllers  for  hybrid  systems  is  a  difficult  problem  that  is  still 
not  satisfactorily  solved.  Most  existing  design  methodologies  assume  that  the 
underlying  dynamics  are  continuous  and  that  the  hybrid  behavior  arises  be¬ 
cause  the  system  must  perform  several  functions.  The  control  synthesis  task  is 
then  to  design  controllers  that  achieve  each  of  the  functions  and  a  coordination 
scheme  that  guarantees  that  properties  like  safety  and  liveness  are  satisfied  at 
all  times.  This  work  addresses  a  different  problem.  We  study  dynamical  systems 
that  change  their  dynamic  behavior  as  they  evolve  in  the  state  space.  The  hybrid 
nature  is  thus  inherent  in  the  dynamics  of  the  system  and  does  not  come  from 
the  controller  specification.  In  this  paper  we  study  the  problem  of  stabilization 
of  such  systems.  The  goal  is  to  design  a  controller  that  stabilizes  an  equilibrium 
set  in  one  of  the  regions,  moving  through  other  regions  if  necessary.  We  achieve 
this  by  designing  a  controller  on  each  of  the  regions  and  a  scheme  for  switching 
between  these  controllers.  We  show  that  the  stability  of  the  overall  system  can 
be  guaranteed  by  imposing  conditions  on  controllers  that  operate  on  adjacent  re¬ 
gions.  This  leads  to  modularity  of  the  design  process  and  considerably  simplifies 
the  synthesis  problem.  The  stability  analysis  is  based  on  Lyapunov  functions. 

A  starting  point  for  controller  design  is  a  choice  of  a  formalism  for  description 
of  a  hybrid  system.  In  the  literature  we  can  find  several  alternatives.  Alur  et  al. 
[1]  and  Nicollin  at  al.  [2]  defined  the  notion  of  hybrid  automaton,  building  their 
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work  on  the  automata  theory.  Brockett  [3]  devised  his  model  using  the  theory 
of  dynamical  systems.  Other  works  in  this  category  are  [4]  and  [5].  Branicky 
gives  an  overview  of  such  models  and  relates  them  to  his  own  model  [6].  We  use 
models  in  this  second  group  for  our  work. 

Prior  work  on  hybrid  controller  design  has  often  been  limited  to  specific 
applications.  Lygeros  et  al.  [7]  proposed  a  game-theoretic  framework  for  design 
of  controllers  for  intelligent  highway  systems  and  air  traffic  control  systems. 
Puri  [8]  and  Deshpande  [9]  developed  methods  for  controller  design  using  a 
simplified  version  of  hybrid  automata.  Kohn  et  al.  developed  a  methodology  for 
coordination  of  multiple  agents  [10].  Branicky  &  Mitter  [11]  and  Zefran  et  al.  [12] 
employed  optimal  control  for  synthesis  of  open-loop  trajectories.  Goodwine  & 
Burdick  [13]  developed  a  controllability  test  and  a  planning  method  for  a  class  of 
hybrid  systems  called  stratified  systems.  An  important  step  in  controller  design 
is  verification.  The  approaches  in  [7]-[9]  include  verification  as  an  integral  part 
of  the  design  process.  Some  other  works  that  address  the  verification  are  [14], 
[15],  and  [16]. 

A  number  of  authors  considered  stability  of  hybrid  controllers.  Branicky  [17] 
devised  sufficient  conditions  for  stability  of  a  system  that  switches  between  differ¬ 
ent  controllers  thatstabilize  an  equilibrium  point.  Based  on  this  work,  Malmborg 
et  al.  [18]  proposed  a  strategy  for  choosing  a  controller  among  several  avail¬ 
able  controllers  so  that  the  overall  system  is  stable.  Both  papers  allow  dynamic 
equations  to  change,  but  they  are  primarily  concerned  with  the  case  when  the 
equilibrium  point  is  the  same  for  each  controller  so  there  is  no  need  to  actively 
drive  the  system  into  some  designated  region,  as  we  do  in  the  present  paper.  An 
earlier  work  on  stability  of  switching  controllers  is  also  [19]. 

The  idea  of  driving  the  system  through  a  sequence  of  equilibrium  points  until 
a  desired  equilibrium  point  is  reached  was  employed  in  [20].  In  this  work,  the 
switch  between  different  controllers  always  occurs  at  an  equilibrium  point.  The 
authors  also  assume  that  the  region  of  attraction  of  each  controller  is  known  so 
there  is  no  need  for  Lyapunov  functions  to  prove  the  stability. 

The  paper  is  organized  as  follows.  We  start  with  a  motivating  example  and 
introduce  some  notions  for  stability  analysis  on  manifolds.  We  next  formulate 
three  propositions  that  give  sufficient  conditions  for  the  stability  of  a  switching 
controller.  The  propositions  are  progressively  less  abstract  and  lead  to  a  practical 
synthesis  methodology.  We  then  apply  the  methodology  to  solve  the  problem  of 
stabilization  for  the  classical  shimmying  wheel.  We  demonstrate  the  behavior  of 
the  controller  with  some  simulation  results  and  conclude  the  paper  with  a  brief 
discussion. 

2  Preliminaries 

To  motivate  the  theoretical  development  we  start  with  an  example.  The  system 
that  we  study  is  the  classical  shimmying  wheel  [21,  22].  A  schematic  of  the 
shimmying  wheel  is  shown  in  Fig.  1.  A  rigid  link  with  a  wheel  is  attached  to  a 
hinge  joint,  which  is  in  turn  connected  to  a  rigid  object  through  a  sliding  joint 
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between  two  springs  (Fig.  1).  The  control  input  is  the  torque  at  the  hinge  joint. 
The  object  moves  with  a  constant  velocity  v  in  the  direction  perpendicular  to 
the  axis  of  the  sliding  joint.  The  shimmying  wheel  can  be  seen  as  a  simplified 
model  of  an  aircraft  nose  wheel  or  a  motorcycle  front  wheel,  with  the  springs 
modeling  the  compliance  of  the  wheel  and  the  wheel  attachment  [22],  It  can  also 
serve  as  a  model  of  a  vehicle  towing  a  trailer,  with  the  springs  abstracting  the 
compliance  in  the  kingpin. 


Fig.  1.  A  top  view  and  a  side  view  of  a  shimmying  wheel. 


The  goal  of  control  is  to  stabilize  the  wheel  so  that  the  bar  is  aligned  with 
the  direction  of  v  (perpendicular  to  the  sliding  axis)  and  the  slider  is  in  the 
neutral  position  between  the  two  springs  (the  forces  of  the  springs  are  equal  in 
magnitude  and  of  the  opposite  sign).  This  task  is  complicated  by  the  fact  that 
the  system  can  operate  in  two  regimes:  the  wheel  can  either  roll  without  sliding 
or  it  can  slip.  The  slipping  regime  is  undesirable,  but  often  unavoidable.  The 
system  will  switch  between  rolling  and  sliding  depending  on  the  magnitude  of 
the  contact  force  between  the  wheel  and  the  ground:  the  wheel  will  slip  if  the 
force  in  rolling  would  be  greater  than  the  friction  force.  If  we  assume  a  feedback 
control  law  for  the  torque  about  the  hinge  joint,  the  contact  force  is  completely 
determined  by  the  state  of  the  system  and  the  state  space  gets  divided  into  two 
regions  separated  by  a  switching  surface  on  which  the  contact  force  equals  the 
friction  force.  In  each  of  the  regions  the  equations  of  motion  are  different.  It  is 
therefore  unlikely  that  a  single  controller  could  stabilize  the  system  and  even  if 
one  exists  it  is  not  clear  how  to  design  it. 

A  controller  that  is  designed  without  taking  the  hybrid  nature  of  the  dy¬ 
namics  into  account  can  produce  undesired  results.  It  is  for  example  possible  to 
design  a  stable  controller  that  linearizes  the  shimmying  wheel  dynamics  if  the 
wheel  is  rolling.  Figure  2(a)  shows  that  this  controller  efficiently  stabilizes  the 
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system.  However,  if  the  same  controller  is  used  while  the  wheel  is  sliding,  it  can 
destabilize  the  system,  as  can  be  seen  in  Fig.  2(b).  This  example  shows  that  a 
more  comprehensive  approach  to  design  of  controllers  for  systems  with  hybrid 
dynamics  is  needed. 


Fig.  2.  A  linearizing  controller  applied  in  rolling  (a)  and  sliding  (b). 


2.1  Stability  theory  on  manifolds 

We  are  interested  in  stabilizing  submanifolds  (possibly  unbounded).  Conven¬ 
tional  Lyapunov  theory  can  not  be  directly  applied  to  this  setting,  so  we  need 
to  introduce  some  additional  concepts  (see  [23]). 

Definition  1.  A  distance  between  a  point  x  and  a  set  E  C  IRn  is  defined  by: 

p(x,E)  =  Md(x,y)  (1) 


A  ball  with  radius  R  around  E  is  the  set  B(E,  R)  =  {a;  |  p(x,  E)  <  R}. 

Definition  2.  A  smooth  manifold  E  C  M  is  locally  stable  if  for  any  R  >  0  there 
exist  r  >  0  such  that  if  p(x(to),E)  <  r  then  p(x(t),E)  <  R  for  every  t  >  to.  If, 
in  addition,  lirn^oo  p(x(t),E)  =  0,  then  we  say  that  E  is  locally  asymptotically 
stable. 
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Definition  3.  A  submanifold  E  C  M  is  locally  attractive  if  there  exists  R  >  0 

such  that  if  p(x(to),E)  <  R  then  lim^oo  p(x(t),E)  =  0.  We  also  say  that 

trajectories  starting  inside  B(E,  R)  converge  to  E. 

Theorem  4  [24,  25].  If  for  a  control  system  E  there  exists  a  Cl  function  V  : 

M  — »  IR,  such  that: 

(1)  V(x)  >  0  and  V  (x)  =  0  44-  x  £  E; 

(2)  there  exists  a  monotonically  increasing  function  a  :  IR+  -4-  IR+,  a(0)  =  0, 
such  that  a(p(x,  E))  <  V(x); 

(3)  there  exists  a  monotonically  increasing  function  (3  :  IR+  — >  IR+,  0(0)  =  0, 
such  that  V(x)  <  0(p(x,E)); 

(4)  V (x)  <  0,  where  V  is  the  derivative  ofV  along  the  trajectories  of  E; 

then  the  manifold  E  is  locally  stable.  If  in  addition: 

(5)  there  exists  a  monotonically  increasing  function  7  :  IR+  — >  IR+,  7(0)  =  0, 
such  that  V(x)  <  —7 (p(x,  E ))  <  0, 

then  E  is  locally  asymptotically  stable. 


2.2  Modeling 

In  this  section  we  describe  the  setting  which  will  be  used  to  formally  describe 
systems  whose  dynamics  change.  Suppose  we  have  a  dynamical  system  E  and 
a  collection  of  (differentiable,  connected)  manifolds  M  =  {Mi,  M2, . . . ,  Mn}. 
The  manifolds  need  not  be  disjoint,  they  can  be  a  subset  of  each  other  and 
in  some  cases  it  it  will  be  even  convenient  to  take  some  of  them  to  be  equal. 
This  collection  of  manifolds  must  reflect  the  changing  dynamics,  but  additional 
manifolds  can  be  defined  for  the  purposes  of  a  particular  application.  An  example 
of  a  collection  of  manifolds  is  shown  in  Fig.  3(a).  On  each  manifold,  the  system 
is  described  with  a  set  of  equations: 

X{  —  fi(Xi,Ui,t ),  (2) 

where  a 7  is  the  state  of  the  system  and  Ui  is  the  vector  of  inputs  for  the  system 
evolving  on  the  submanifold  M*.  In  general,  ffs  can  be  different  to  reflect  changes 
in  the  dynamics  of  the  system.  Also  the  dimensions  of  the  manifolds  might  be 
different.  For  example,  in  the  case  of  the  shimmying  wheel,  the  manifolds  Mi 
and  M2  would  correspond  to  sliding  and  rolling,  respectively,  where  Mi  is  the 
whole  space  and  M2  is  the  subspace  on  which  the  rolling  constraint  is  satisfied. 
We  will  assume  that  on  each  manifold  Mj  we  design  a  controller  gp. 

Ui  =  9i{xi,t),  (3) 

The  reason  of  allowing  some  manifolds  in  the  collection  M  to  be  the  same  is 
that  we  may  wish  to  define  different  controllers  on  the  same  physical  space.  Let 
En  C  Mn  be  a  manifold  to  which  we  wish  to  steer  the  system  E.  The  problem 
that  we  address  in  this  paper  is  how  to  design  the  controllers  gi  and  a  rule  for 


405 


Fig.  3.  (a)  A  sequence  of  embedded  manifolds;  (b)  the 


corresponding  graph. 


switching  among  them  (a  switching  scheme)  that  stabilizes  the  system  to  En  (if 
possible  globally).  This  task  is  complicated  by  the  fact  that,  in  general,  we  do 
not  know  the  sequence  of  the  manifolds  that  the  dynamical  system  will  traverse. 
Take  for  example  the  shimmying  wheel.  If  the  system  is  rolling,  the  controller 
action  might  cause  the  wheel  to  slip,  but  it  is  conceivable  that  within  a  certain 
region  such  switching  does  not  happen.  And  it  is  of  course  always  possible  that 
a  disturbance  (for  example  a  slippery  patch)  causes  the  rolling  wheel  to  slip. 

The  topology  of  a  system  evolving  on  a  collection  of  manifolds  can  be  de¬ 
scribed  with  a  graph.  The  vertices  of  the  graph  correspond  to  different  manifolds. 
There  will  be  an  edge  from  a  manifold  Mj  to  a  manifold  Mj  if  it  is  possible  to 
switch  from  Mj  to  Mj  (there  exists  a  trajectory  that  passes  from  Mj  to  Mj).  For 
example,  if  we  assume  that  a  nonempty  intersection  of  two  manifolds  implies 
that  it  is  possible  to  pass  between  the  manifolds,  the  graph  for  the  system  in 
Fig.  3(a)  would  be  Fig.  3(b). 

3  Sufficient  conditions  for  stability 

Take  a  control  system  E  evolving  on  the  collection  of  manifolds  M.  Assume 
that  on  each  manifold  Mj,  we  have  a  controller  pj  (i.e.,  Uj  =  gi(x,  t)).  Let  the 
controller  gn  stabilize  the  manifold  En  (i.e.,  the  target  manifold).  Assume  we 
can  construct  a  Lyapunov  function  Vn  which  satisfies  the  conditions  (l)-(5)  of 
Theorem  4.  Let 


<S  :  IRn  x  {1, . . .  ,n)  -4  {1, . . .  ,n} 

{x,r])  ^  S{x,rj)  (4) 

denote  the  switching  scheme.  In  other  words,  the  function  S  selects  the  controller 
to  be  used,  depending  on  the  state  x,  and  the  controller  that  is  currently  used,  rj. 
Clearly,  S( x,rj)  =  i  implies  x  €  Mj,  since  pj  is  only  defined  on  Mj.  The  following 
proposition  gives  sufficient  conditions  for  En  to  be  globally  attractive: 

Propositions.  Let  the  switching  scheme  S  satisfy  the  following  conditions: 
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1.  There  exists  L  >  0  such  that  S(x,  n)  =n  for  every  x  G  B(En,  L)  D  Mn. 

2.  For  any  trajectory  x(t)  there  exists  a  A  >  0  and  an  infinite  sequence  {f*} 
whose  elements  satisfy: 

(a)  for  every  t  €  [U,ti  +  A],  S(x(t),r](t))  =  n; 

(b)  V(ti+A)>V(ti+1). 

Then  the  submanifold  En  is  globally  attractive. 


Fig.  4.  Values  of  the  Lyapunov  function  and  a  sequence  satisfying  condition  2(b) 
of  Proposition  5. 


Remark:  Condition  (1)  guarantees  that  there  is  a  region  around  En  in  which 
it  is  not  possible  to  switch  from  gn  to  some  other  controller  gt.  That  is,  we 
assume  that  the  controller  gn  can  capture  and  stabilize  S  in  some  region  around 
En.  Condition  (2)  states  that  regardless  of  the  current  state,  the  system  will 
eventually  come  under  the  control  of  gn  and  stay  under  the  control  of  gn  for 
at  least  time  A.  Furthermore,  we  can  find  a  sequence  of  time  subintervals  of 
length  at  least  A  so  that  the  Lyapunov  function  restricted  to  the  union  of  these 
intervals  is  monotonically  decreasing. 

Proof.  Let  {4}  be  a  sequence  given  by  condition  (2).  Since  the  Lyapunov  func¬ 
tion  V  is  monotonically  decreasing  when  the  system  evolves  on  Mn,  condition 
2(b)  implies  that  ti+ 1  —  U  >  A.  Now  take  /„  =  Ufc6||\| [£*,£*  +  A]  and  con¬ 
sider  the  system  evolving  on  By  assumption,  V  satisfies  the  conditions  of 
Theorem  4,  so  we  can  find  monotonically  increasing  functions  a,  0  and  7  such 
that  a(p(x,En ))  <  V(x)  <  0(p(x,En))  and  V(x)  <  —7 (p(x,En))  <  0.  Let 
r  =  p(x(to),En)  and  let  e  be  an  arbitrary  number  such  that  0  <  e  <  r.  Then  we 
can  find  S  >  0  such  that  0(5)  <  a(e).  Let  K  be  an  integer  such  that  K  > 
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and  take  r  =  tx  +  A.  Suppose  that  p(x(t),En)  >  e  for  every  t  £  In  fl  [to,  r]. 
Then  we  have: 

ptic+A 

0  <  a(e)  <  V(x(r))  —  V(x(tx))  +  /  V(x(t))dt 

JtK 

ftK+A  ptK+A 

<  V ( x(tK ))  -  /  7 (p(x(t),En))  dt  <V ( x(tK ))  -  /  y(5)  dt 

JtK  JtK 

=  V(x(tK))  -  Ay(£)  <  V{x{ti f_i))  -  Ay (6)  <  ... 

<  V(x(to))  ~  KAy(S)  <  0(r)  -  KAy(5)  <  0  (5) 

This  is  a  contradiction,  implying  that  there  exists  r'  £  In  fl  [to ,  t]  such  that 
p(x(r'),En)  <  S.  But  then  for  every  t  £  In  such  that  t  >  t': 

a(p(x(t),En))  <  V(x(t))  <  V(x(t'))  <  0(5)  <  a(e) 

which  implies: 

p(x(t),En )  <  e  Vt  >  t1  ,t  £  In 
This  shows  that  p(x(t),En)  converges  to  0  on  In. 

Since  p(x(t),En)  converges  to  0  on  In,  there  exists  T  >  0  such  that  for  all 
t  >  T,t  £  In,  p(x(t),En )  <  L.  But  by  assumption,  for  x  £  B(En,L)  n  Mn  the 
system  can  not  switch  from  Mn  to  some  Mj,  j  ^  i,  which  means  that  the  system 
will  stay  under  the  control  of  gn  for  all  t  >  T  and  therefore  converge  to  En. 

While  the  lemma  provides  sufficient  conditions  for  convergence  of  the  sys¬ 
tem  trajectories  to  En,  these  conditions  are  difficult  to  check  and  therefore  not 
suitable  for  controller  design.  It  is  particularly  difficult  to  check  condition  (2). 
We  therefore  provide  two  additional  tests  that  are  less  general,  but  are  easier  to 
apply. 

Take  Mi,  M2, . . . ,  Mn,  the  collection  of  manifolds  on  which  a  dynamical  sys¬ 
tem  evolves,  and  let  A  =  {1, 2, . . . ,  n}  be  the  index  set.  The  switching  scheme  S 
defines  a  relation  Switch(A),  if  we  put  Switch(«,  j)  when  it  is  possible  to  switch 
from  the  manifold  Mi  (controller  <?,)  to  the  manifold  Mj  (controller  gj).  More 
formally: 

Switch(A)  =  {(i,j)  |  3x  £  Mi  s.t.  S(x,i)  =  jj  (6) 

Note  that  the  graph  representing  this  relation  is  precisely  the  graph  described 
in  Section  2.2.  We  can  then  show: 

Proposition  6.  Let  X  be  a  partial  order  within  the  transitive  closure  of  the 
relation  Switch(A)  which  has  the  smallest  element,  and  let  this  smallest  element 
be  n.  Assume  that  the  switching  scheme  S  has  the  following  properties: 

1.  There  exists  L  >  0  such  that  S(x,n)  =  n  for  every  x  £  B(En,L)  fl  Mn. 

2.  If  x(t)  is  a  trajectory  of  E  and  Mi,  i  ^  n  is  a  manifold  on  which  x(t)  evolves 
for  an  infinite  amount  of  time,  then  there  exists  A  >  0  such  that  for  every 
T  we  can  find  r  >  T  such  that  S(x(t),r](t))  -<  i  for  every  t  £  [t,t  +  A\. 

3.  If  a  system  switched  from  gn  to  some  other  controller  at  time  t0ff  and  if  ton 
is  the  time  when  the  system  next  switches  again  to  gn,  thenV (t0s)  >  V (ton). 

Then  the  submanifold  En  is  globally  attractive. 
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Remark:  The  first  condition  is  the  same  as  in  Proposition  5,  while  conditions 
(2)  and  (3)  together  replace  condition  (2)  there.  Condition  (2)  says  that  for  any 
manifold  Mj  on  which  a  trajectory  stays  for  an  infinite  amount  of  time,  we  can 
find  a  switch  at  an  arbitrary  large  time  to  a  manifold  that  lies  lower  in  the 
hierarchy  implied  by  A  and  that  after  such  switch  the  system  evolves  on  the 
manifolds  that  are  below  Mi  for  at  least  A. 

Proof.  We  will  show  that  conditions  (2)  and  (3)  imply  condition  (2)  of  Propo¬ 
sition  5.  Let  x(t)  be  a  trajectory  of  £  and  let  Mi  be  a  manifold  on  which  x(t) 
evolves  for  an  infinite  amount  of  time.  Since  we  have  a  finite  number  of  mani¬ 
folds,  there  will  be  at  least  one  such  i.  The  condition  (2)  guarantees  that  there 
will  be  an  infinite  number  of  instances  when  the  system  evolves  for  at  least  A  on 
manifolds  that  are  below  Mj  in  the  hierarchy  defined  by  A-  But  this  implies  that 
x(t)  will  evolve  on  these  manifolds  for  an  infinite  amount  of  time  and  since  there 
are  only  finitely  many  manifolds  below  Mi,  there  must  exist  a  manifold  Mj  with 
j  ~<  i  on  which  x(t)  evolves  for  an  infinite  amount  of  time.  By  proceeding  recur¬ 
sively  and  because  n  is  the  smallest  element  for  A,  we  conclude  that  the  system 
must  evolve  on  Mn  for  an  infinite  amount  of  time  and  in  instances  that  last  for  at 
least  A.  Condition  (3)  guarantees  that  each  time  the  system  switches  to  gn,  the 
value  of  the  Lyapunov  function  is  smaller  than  when  the  system  last  switched 
off  Mn.  The  existence  of  the  sequence  {ti}  in  condition  (2)  of  Proposition  5  is 
therefore  guaranteed. 

Using  Proposition  6  we  can  design  a  stable  switching  scheme  by  choosing  a 
partial  order,  developing  controllers  on  each  Mj  that  guarantee  a  switch  to  a 
lower  level  with  respect  to  this  partial  order,  and  enforcing  decreasing  of  V  at 
switches  to  Mn.  However,  developing  controllers  that  guarantee  a  switch  to  a 
lower  level  is  still  not  an  easy  task.  One  possible  strategy  is  to  make  each  con¬ 
troller  stabilize  a  certain  manifold  within  a  region  from  which  the  system  switches 
to  manifolds  lower  in  the  hierarchy.  This  special  case  is  important  enough  that 
we  state  a  separate  proposition. 

Proposition  7.  Assume  a  partial  order  A  on  A  that  has  the  smallest  element 
which  is  equal  to  n.  Let  each  controller  gi  asymptotically  stabilize  a  manifold  Ei 
and  assume  we  can  find  a  Lyapunov  function  Vi  for  gi.  Let  the  switching  scheme 
S  satisfy  the  following  conditions: 

1.  For  each  i,  there  exists  Lj  >  0  such  that  S(x,  i)  -<  i  for  every  x  6  B{Ei,Li)  fl 
Mj  (for  i  =  n  we  require  S(x,n)  —  n). 

2.  There  exists  A  >  0,  such  that  if  a  system  switches  from  gi  to  some  gj,  j  <i 
at  time  T,  then  S(x(t),rj(t))  -4  i  for  each  t  E  [T,  T  +  A]. 

3.  If  the  system  switches  from  gi  to  some  gj,  i  -<  j,  at  time  t0s  and  after  that 
switches  again  to  gi  at  time  ton  and  if  S(x(t),r](t))  i  for  all  t  6  [t0ff ,  ton], 
then  Vi (t0ff)  >  Vi(t  on)- 


Then  the  submanifold  En  is  globally  attractive. 
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Remark:  For  i  =  n  conditions  (1)  and  (3)  above  clearly  become  the  same  as 
conditions  (1)  and  (3)  in  Proposition  6.  Note  that  the  Proposition  suggests  that 
we  can  examine  the  stability  of  the  system  by  simply  examining  relations  between 
neighbors  defined  by  the  switching  scheme.  This  has  important  implications  for 
the  synthesis  problem  and  can  be  explored  to  obtain  modularity  of  the  design 
process. 

Proof.  We  will  show  that  the  above  conditions  imply  conditions  of  the  Proposi¬ 
tion  6.  Assume  that  a  trajectory  x(t)  evolves  on  a  manifold  for  an  infinite 
amount  of  time,  but  after  some  time  T  it  never  switches  to  any  manifold  Mj 
such  that  j  -<  i.  Let  h  —  {t  >  T  \  S(x(t),rj(t))  =  i},  the  union  of  the  intervals 
beyond  T  during  which  the  system  evolves  on  Mj.  By  condition  (3),  Vi  will  be 
monotonically  decreasing  on  R  and  by  condition  (2),  we  can  find  an  infinite  se¬ 
quence  of  (disjoint)  intervals  of  length  A  that  lie  in  R.  By  the  same  reasoning 
that  we  used  in  the  proof  of  Proposition  5  to  show  convergence  to  En  we  can 
show  that  x(t)  converges  to  E{.  By  condition  (1)  this  implies  that  the  system 
will  switch  to  some  Mj,  j  -<  i,  which  is  a  contradiction.  This  and  condition  (2) 
above  therefore  imply  condition  (2)  of  Proposition  6. 

The  last  proposition  is  a  convenient  tool  for  designing  stable  switching  control 
schemes.  The  algorithm  for  controller  design  can  be  roughly  described  as: 

-  Choose  a  partial  order  on  A  (decide  on  the  hierarchy  among  Mi’s). 

-  Design  a  controller  on  each  Mi  that  stabilizes  a  manifold  E{. 

-  Choose  a  neighborhood  £7*  of  E,  and  define  a  switching  scheme  so  that  for 

x  €  Ui,  S(x,i)  -<  i. 

Clearly,  this  basic  algorithm  has  to  be  refined  to  guarantee  that  the  conditions 
(2)  and  (3)  above  are  satisfied. 

There  is  an  important  case  in  which  condition  (2)  can  be  satisfied  fairly  easily. 
Suppose  we  want  to  switch  from  Mi  to  Mj,  j  -<  i.  If  fj(x,gj( x))  in  Eq.  (2)  is 
bounded  for  all  x  €  U  C  Mj,  where  £7  is  a  neighborhood  that  contains  the  region 
to  which  the  system  switches,  then  all  we  need  to  do  is  make  the  system  switch 
in  such  a  way  that  after  the  switch  to  Mj  we  are  some  (fixed)  finite  distance 
away  from  any  point  x  in  U  for  which  j  -<  S(x,j).  Because  of  the  bounded  rate 
of  change  of  the  state,  this  implies  that  the  switch  will  occur  after  some  finite 
time  interval. 

It  is  difficult  to  directly  design  controllers  that  would  satisfy  condition  (3). 
An  alternative  is  to  combine  several  controllers,  each  of  which  partly  satisfies 
the  condition,  into  a  single  controller.  Suppose  we  would  like  to  allow  switches 
from  Mi  to  Mj,  j  -<  i.  To  satisfy  condition  (3),  we  need  to  have  a  controller  gi 
that  is  able  to  decrease  the  Lyapunov  function  Vj.  Controller  gi  stabilizes  £), 
and  we  also  know  that  the  controller  gj  decreases  the  Lyapunov  function  Vj.  If 
Ei  is  the  equilibrium  manifold  for  the  system  controlled  by  gi,  we  can  construct 
a  new  controller,  gi  that  behaves  as  gi  away  from  Ei  and  as  gj  close  to  Ei.  A 
possible  expression  for  fn  would  be: 

9i(x)  =  (1  -  Cl e-<*«x>Ei))gi(x)  +  d e~C2d^gj(x) 


(7) 
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where  c\  and  C2  are  appropriate  constants. 

Propositions  5-7  provide  sufficient  conditions  for  En  to  be  attractive,  not 
to  be  stable.  To  prove  the  stability  we  have  to  show  that  trajectories  starting 
outside  Mn  “nicely”  converge  to  Mn.  One  possible  way  of  stating  this  is: 

Corollary  8.  The  manifold  En  will  be  stable  if  in  addition  to  the  conditions  of 
Proposition  5: 

(3)  For  any  R  >  0  and  every  i,  there  exists  r  >  0  such  that  ifx(to)  G  n 

B(En,r)  then  under  the  control  of  gi,  x{t )  G  B(En,R)  for  every  t  >  to- 


Proof.  The  Lyapunov  function  V  guarantees  that  for  any  R.2  >  0,  there  ex¬ 
ists  r2  >  0  such  that  x(to)  €  Mn  fl  ^2)  implies  x(t)  G  B{En,  R2)  as 

long  as  x(t)  stays  in  Mn.  Take  R2  =  min {R,L}  and  find  the  corresponding  r2. 
Take  f?i  =  min{i?,  02}-  By  assumption,  there  exists  n  such  that  x(t)  stays  in 
B(En,  Ri)  for  any  trajectory  starting  in  B(En,  rq)  \  Mn  and  evolving  in  Mt.  By 
condition  (1)  of  Proposition  5  and  by  the  choice  of  i?i,  x{t)  will  intersect  Mn 
inside  B(En,r2)C\Mn.  But  a  trajectory  on  Mn  that  comes  inside  B(En,  '/q)  HMn 
will  stay  inside  B(En,L)  fl  Mn  and  thus  remain  under  the  control  of  gn  (and 
stay  inside  B(En,  R))  for  all  later  times. 

We  note  that  this  proof  is  similar  to  the  proof  of  Theorem  4  in  [17]. 

Remark  If  we  assume  the  scenario  of  Proposition  7  and  for  every  i,  El  C  En, 
the  condition  of  the  Corollary  will  be  trivially  true. 


4  Example 

The  above  results  provide  a  framework  for  designing  hybrid  control  schemes.  In 
this  section  we  apply  the  methodology  to  stabilization  of  the  shimmying  wheel 
(Fig.  1).  Dynamic  equations  of  the  system  are  of  the  form: 


H 

l 

Was 

1 _ 

+ 

ky  +  5  (mi  -1-  2m2)0 2  sin  6 

0 

=  atf  + 

"o' 

u 

(8) 

L^J 

0  J 

.Oj 

where  H  is  the  inertia  matrix,  F  =  {Fx,Fy}T  is  the  reaction  force  of  the  ground 
on  the  wheel,  and  A  is  the  matrix  that  relates  the  relative  velocity  vT  between 
the  wheel  and  the  ground  at  the  contact  point  to  the  rate  of  change  of  the 
generalized  coordinates.  The  system  has  6  states:  3  generalized  coordinates  and 
3  generalized  velocities. 

When  the  wheel  is  sliding,  we  have  the  following  expression  for  the  reaction 
force  F  =  Fs: 

IT  Vr  /  ,  m2s 

‘ =  +  T)9 


(9) 


411 


where  m  is  the  coefficient  of  (dynamic)  friction  and  g  is  the  gravity  constant. 
When  the  wheel  is  rolling,  we  have  an  additional  constraint: 

vr  =  0  (10) 

In  this  case,  the  force  F  —  Fc  is  the  constraint  force  that  prevents  slippage  of 
the  wheel  and  it  can  be  eliminated  from  Eq.  (8)  using  Eq.  (10)  [21,  22].  Equation 
(10)  represents  two  constraint  equations,  so  the  dimension  of  the  system  in  pure 
rolling  drops  to  4.  The  analysis  of  the  system  can  be  simplified  by  observing  that 
(j)  does  not  occur  in  the  dynamic  equations.  It  is  therefore  a  cyclic  variable  and 
we  can  limit  our  study  to  the  dynamics  of  y  and  6.  In  the  formalism  of  Section 

2,  the  reduced  system  thus  evolves  on  manifolds  M\  and  M2  of  dimension  4  and 

3,  respectively,  where  M\  =  IR4  and  M2  is  defined  by  Eq.  (10)  [21,  22], 

The  goal  of  the  control  is  to  stabilize  the  wheel  to  the  state  y  =  0,  9  =  0.  To 
this  end,  we  introduce  an  additional  region,  M3,  but  we  put  M3  =  M2.  In  other 
words,  we  use  two  different  controllers  in  the  rolling  regime.  Note  that  nothing 
in  the  developed  theory  prohibits  the  submanifolds  to  be  equal.  Stabilization  is 
therefore  achieved  with  three  controllers:  a  controller  gi  for  the  system  in  sliding 
regime  (defined  on  Mi)  and  controllers  <?2  and  g%  for  the  system  in  the  rolling 
mode  (defined  on  M2).  The  idea  is  to  steer  the  system  with  the  controllers  g\  and 
g2  to  a  state  9  =  0,  y  7^  0,  from  which  we  can  stabilize  the  system  to  a  desired 
point  with  the  controller  <73.  Note  that  the  wheel  might  start  sliding  again  once 
under  the  control  of  g3. 

To  design  a  controller  for  the  system  evolving  on  Mi ,  we  linearize  the  dynamic 
response  for  9.  It  can  be  shown  that  with  this  controller  the  dynamics  for  y  and 
(j)  are  also  (asymptotically)  stable.  The  controller  stabilizes  the  line  segment: 

Bk  =(.,0.0,0)  M  < 

The  controller  g2  (only  defined  on  M2,  when  the  wheel  is  rolling)  can  be  designed 
similarly  to  gi  after  the  constraint  force  is  eliminated  from  dynamic  equations 
using  Eq.  (10).  The  attractive  manifold  for  this  controller  is  a  line: 


&2  =  (y,0,y,0)  =  (y,  0,0,0) 

The  controller  53  can  be  derived  by  observing  that  instead  of  the  dynamics  for 
9,  we  can  linearize  the  dynamics  for  y.  Further  analysis  shows  that  with  this 
controller,  the  dynamics  for  9  and  cf>  are  stable,  so  the  system  converges  to  the 
desired  point,  E3  =  (0,0, 0,0).  It  is  also  not  difficult  to  construct  the  Lyapunov 
functions  V2  and  V3  for  the  controllers  g2  and  <73. 

Next,  we  have  to  define  a  partial  order  and  design  the  switching  schemes. 
We  first  observe  that  there  is  a  natural  partial  order  already  defined  on  M  — 
{Mi, M2, M3}  and  it  is  given  by  inclusion:  Ml  D  M2  D  M3.  The  partial  order 
in  this  case  thus  becomes  a  total  order  and  the  application  of  Proposition  7  is 
therefore  particularly  straight  forward. 
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The  switching  scheme  <Si  is  quite  simple: 


(2  x  e  M2  A  1 1 jPc 1 1  <  f(mi  +  2 m2)g 
1 1  otherwise 


The  controller  g 2  has  a  singularity  at  9  =  ±|,  but  on  these  two  hyperplanes 
the  constraint  force  is  unbounded  and  they  do  not  intersect  (the  closure  of)  M2- 
The  switching  scheme  S2  is  defined  in  the  following  way: 


(  3 


$2{X,V)  =< 


V  =  2  A  X  £  B{E3,Rin)  A  V3(x)  <  V 
A  || Fell  <  t(mi  +2m2 )5 
r)  =  3  A  x  e  B(E3,Rout) 
otherwise 


where  J?;n  <  .Rout  <  f  (this  guarantees  that  B(E3,Rout)  does  not  intersect  the 
hyperplanes  6  =  ±f ),  and  V'33->2  is  the  value  of  V3  when  the  system  last  switched 
from  the  controller  g3  to  the  controller  g2.  Again,  we  avoid  the  hyperplanes 
9  =  ±|  because  <73  becomes  singular  there.  Observe  that  the  switching  scheme 
explicitly  encodes  condition  (3)  of  Proposition  7. 

The  next  step  would  be  to  check  that  the  conditions  of  the  Proposition  7 
are  satisfied.  Since  we  have  a  total  order  on  Ad,  it  suffices  to  show  that  gx  and 
32  stabilize  E2,  and  that  32  and  g3  stabilize  E3.  In  the  interest  of  keeping  the 
presentation  short  the  proofs  will  be  omitted,  but  we  refer  the  interested  reader  to 
[26]  for  details.  We  only  mention  that  in  order  to  guarantee  that  the  controller 
32  can  arbitrarily  decrease  the  Lyapunov  function  V3  so  that  the  system  can 
switch  to  33,  we  use  the  technique  described  in  Eq.  (7). 


4.1  Simulation  results 

A  typical  simulation  run  of  the  system  controlled  with  the  derived  controllers 
is  shown  in  Fig.  5.  The  system  starts  in  the  sliding  regime  with  the  controller 
3j  active.  At  0.9s  the  wheel  stops  sliding  and  the  controller  g2  takes  over.  At 
1.14s  the  system  switches  again,  this  time  to  the  controller  g3  that  stabilizes 
the  system  to  the  desired  state.  The  switches  between  different  controllers  cause 
discontinuities  of  the  input,  as  Fig.  5(b).  shows.  It  can  be  seen  in  Fig.  5(a)  that 
while  the  controllers  31  and  32  are  active,  9  is  the  controlled  variable  and  it 
decreases  to  0.  When  the  controller  33  becomes  active,  the  controlled  variable 
becomes  y  (so  it  decreases  to  0)  and  |0|  initially  increases.  After  y  becomes  small, 
I# |  also  decreases  to  0. 

The  next  figure  illustrates  that  the  modified  controller  g2  decreases  the  Lya¬ 
punov  function  V3.  Variables  y  and  9  are  shown  in  Fig.  6(a),  while  the  Lyapunov 
functions  V2  and  V3  are  shown  in  Fig.  6(b).  The  system  starts  in  the  rolling 
regime  with  the  controller  g3  active,  however  during  the  first  0.1s  it  switches 
first  to  the  controller  g2  and  then  to  the  sliding  regime  and  the  controller  31 
(these  switches  are  not  shown).  At  the  switch  from  g3  to  g2  the  value  of  the  Lya¬ 
punov  function  V3  is  263.4.  To  show  that  the  controller  can  arbitrary  decrease 
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Fig.  5.  A  typical  simulation  run. 


V3,  we  modified  the  switching  scheme  S2  so  that  the  value  of  the  Lyapunov  func¬ 
tion  V3  at  the  switch  from  32  to  33  has  to  be  half  the  value  of  the  function  at 
the  switch  from  g3  to  32.  In  our  case,  the  function  V3  therefore  has  to  decrease 
to  131.7  in  order  to  switch  to  the  controller  33.  At  the  time  0.38s,  the  system 
switches  from  sliding  to  rolling  and  to  the  controller  g2.  The  controller  decreases 
the  Lyapunov  function  until  it  reaches  the  desired  value  at  the  time  1.30s  when 
the  system  switches  to  the  controller  33  and  the  system  is  stabilized.  Figure  6(a) 
also  shows  that  the  controller  32  does  not  drive  6  to  0  but  to  some  offset  value 
that  guarantees  the  decreasing  of  V3. 


5  Conclusion 

We  investigated  the  problem  of  stabilizing  a  system  with  changing  dynamics 
with  a  sequence  of  controllers.  We  studied  the  case  when  the  system  evolves 
on  a  sequence  of  embedded  manifolds  and  derived  sufficient  conditions  under 
which  the  switching  scheme  employing  different  controllers  can  be  guaranteed 
to  stabilize  the  system  to  the  desired  manifold.  These  sufficient  conditions  give 
direct  guidance  for  the  design  of  appropriate  controllers.  The  results  were  applied 
to  the  stabilization  of  the  shimmying  wheel.  We  were  able  to  design  a  switching 
scheme  that  provably  stabilizes  this  system. 

The  described  work  can  be  extended  in  several  directions.  We  plan  to  consider 
more  general  stabilization  problems  such  as  control  of  a  walking  robot.  In  this 
case,  the  system  has  to  be  stabilized  to  a  periodic  orbit  that  traverses  different 
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Time 

Fig.  6.  A  modified  controller  guarantees  decreasing  of  V3. 


regions  rather  than  an  equilibrium  manifold  within  a  single  region.  An  important 

question  is  also  how  to  design  the  individual  controllers.  For  mechanical  systems, 

the  energy-momentum  method  offers  some  interesting  possibilities. 
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